HIPAA Compliance for Medical Practices
72.9K views | +24 today
Follow
 
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Audits of Covered Entities and Business Associates

HIPAA Audits of Covered Entities and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.

 

These multi-million dollar penalties should be a warning for all covered entities or business associates.  Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.

 

The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.

 

Some frequently asked questions regarding audits include:

Who Will Be Audited?

 

Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.

 

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information.  A few examples may include:

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance.

 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI.  The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

 

How Will Auditees Be Selected?

OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates.  According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

 

What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button? 

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?  | HIPAA Compliance for Medical Practices | Scoop.it

Indeed, it is. According to the latest statics from the HHS Office of Civil Rights (OCR), 43% of all reported breaches are now caused by hacking or other related information network discrepancies—not to mention those breaches that are the result of impermissible disclosures made by members of the work force.

 

Let’s face it, breaches will happen, especially those related to information systems. When it comes to breaches, most network security experts say it is “when” and not “if.” Regardless of whether the breach is related to the network or some other means such as lost or stolen devices containing ePHI, what is important is having a process in place to deal with it. This includes the ability to conduct an internal investigation to determine the basics such as how the breach was caused, the type of breach, and how many individuals were affected.

 

The HIPAA Breach Notification Rule states that a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The exception is when the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

So, what is the best way to conduct the breach risk assessment to determine this probability? Start with some type of Breach Notification Risk Assessment Tool which is a decision tree-based process. This will help determine if the breach is reportable. Even if the determination is made that the breach is not reportable, documentation that this assessment was conducted must be maintained.

 

Having a comprehensive breach notification policy is critical. This will save a lot of headaches and layout a process to follow during the period of uncertainty associated with a breach. The policy should state the obvious such as who needs to be notified internally within the organization, who is responsible for conducting the assessment, and what specific notifications need to be made. What is even more important is the actual procedure to implement the policy. Procedures should cover how to undertake the investigation of the breach to cover the who, what, how, and when of the occurrence. If it is a reportable breach, this type of information is required for submitting “Notice of a Breach” to the Secretary of HHS (which technically is delegated to OCR.) When submitting the Notice, one should be prepared to answer a number of questions. This is why it is important that the internal investigation uncover as much information as possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is required for HIPAA Compliance?

What is required for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Lots of our visitors ask us “what is required for HIPAA compliance?” Because this is such an important question, we try to direct our visitors to the most trusted sources for HIPAA education. The most important aspect to remember is that a checklist based “solution” is my no means affective. What we do endorse is the ability to use a checklist to understand what aspect of HIPAA you are doing, and to recognize ones you may have looked over or need to address in further detail. We recommend taking a look at Compliancy Group who has two resources for your organization, whether you’re a Covered Entity or a Business Associate. First, we recommend reading and downloading their HIPAA compliance checklist. Or you can register for their HIPAA compliance checklist webinar!

 

Some of the key findings in the checklist highlight Business Associate Agreements, and also help point out the need for more than just a security risk assessment. As many are familiar with there is a need for HIPAA training, but we do appreciate how it points out the need for documentation of training and other attestations.

 

HIPAA Compliance Checklist: What You Need to Know

The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.

 

Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this HIPAA checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.

 

The HIPAA Compliance Checklist: The Privacy Rule

The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.

  • Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.
  • Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.
  • Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.
  • Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.
  • Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.
  • Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.
  • Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.

 

The HIPAA Compliance Checklist: The Security Rule

The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.

 

These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.

 

The HIPAA Security Rule Checklist: Administrative Safeguards

Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Security Management Process

 

  • Risk Analysis should be done to assess confidentiality of ePHI
  • Risk Management measures should be implemented to assess potential breaches in ePHI
  • Sanction Policies should be extended to employees who fail to comply with policies and procedures
  • Information System Activity Reviews should be in place so that system activity is regularly monitored

Standard 2. Assigned Security Responsibility

  • Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures

Standard 3. Workforce Security

  • Employees who are meant to deal with ePHI should undergo Authorization and Supervision
  • Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI
  • Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to

Standard 4. Information Access Management

  • Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI
  • Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI
  • Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified

Standard 5. Security Awareness and Training

  • Security Reminders should be regularly communicated
  • Protection from Malicious Software should be a priority to prevent ePHI from being compromised
  • Log-in Monitoring should be in place to detect any unauthorized access to ePHI
  • Password Management should be implemented for creating, changing, and protecting employees’ passwords

Standard 6. Security Incident Procedures

  • Breaches and their ramifications need to have documented Response and Reporting procedures

Standard 7. Contingency Plan

  • Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach
  • Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored
  • Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency
  • Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws
  • Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible

Standard 8. Evaluation

  • The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations

Standard 9. Business Associate Contracts and Other Arrangements

  • Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.

 

The HIPAA Security Rule Checklist: Physical Safeguards

Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Facility Access Controls

  • Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency
  • Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft
  • Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted
  • Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks

Standard 2. Workstation Use

  • Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed

Standard 3. Workstation Security

  • Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible

Standard 4. Device and Media Controls

  • Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed
  • Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use
  • Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked
  • Data Backup and Storage procedures should entail the creation of exact copies of ePHI

 

The HIPAA Security Rule Checklist: Technical Safeguards

Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.

Standard 1. Access Control

  • Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage
  • Procedures should be in place that determine Emergency Access protocols and authorization
  • Systems that store ePHI should be built with an Automatic Logoff function after inactivity
  • Encryption and Decryption methods should be built into systems that store ePHI

Standard 2. Audit Controls

  • Audit Controls must regularly monitor, record, and store system usage and ePHI access

Standard 3. Integrity

  • In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system

Standard 4. Person or Entity Authentication

  • Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI

Standard 5. Transmission Security

  • Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process
  • Any stored ePHI should be Encrypted
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

New HIPAA requirements target unsecured protected health information

New HIPAA requirements target unsecured protected health information | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act of 2009, signed by President Barack Obama in February, modified the Health Insurance Portability and Accountability Act (HIPAA). In particular, the Health Information Technology for Economic and Clinical Health Act (HITECH) sets forth new requirements relating to business associates and notification of patients regarding breaches of unsecured protected health information. The new regulation covers breaches that occur after September 23, 2009.

 

Before HITECH, a covered entity, that is, a physician's office, hospital, clinic, etc.—only was required to mitigate the effects of an unauthorized disclosure, which may or may not have included notifying the patient Now, except for certain limited exceptions, a covered entity is required to notify a patient of an unauthorized disclosure of unsecured protected health information if a significant risk of "financial, reputational, or other" harm exists.

 

It is important to note that notification is only required for unsecured protected health information, not secured protected health information. The Department of Health and Human Services (HHS) issued guidance on what constitutes "secured" protected health information in April, stating that information is deemed secured if rendered "unusable, unreadable, or indecipherable" to unauthorized individuals.

 

To determine whether a "significant risk of harm" exists, the covered entity should consider what information was disclosed, to whom the information was disclosed, and what steps have been taken to eliminate or reduce the risk to the individual.

 

Any notification to the patient must include a brief description of what happened and the type of protected health information disclosed, any steps the patient should take to protect himself or herself, what the covered entity is doing to investigate and mitigate the breach, and information concerning who to contact for additional information. Any required notification must occur without unreasonable delay but no more than 60 days after the breach is discovered or should have been discovered with the exercise of reasonable diligence.

 

Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. Also, specific rules exist regarding what to do if patients cannot be located. If a breach involves more than 500 patients—for instance, the loss of a laptop containing unsecured protected health information, then local media outlets must be notified. In addition, the HHS secretary must be notified—immediately for breaches involving more than 500 patients and annually for others.

 

With the new regulations, the knowledge of a covered entity's agents, including business associates, is imputed to the covered entity. Therefore, the clock for notifying patients could begin to run before the covered entity actually is aware of the disclosure. New agreements may be required, and education of business associates is important, to ensure that they are aware of these requirements and that they indemnify your practice if they fail to comply with the new rules and notify you promptly of any breach of protected health information.

 

The burden to disclose the breach or establish that no risk of harm to the patient exists is on the covered entity, even if the breach was the fault of one of its agents. A decision not to notify a patient because the covered entity does not believe that a significant risk of harm exists should be carefully investigated and documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance for Medical Practices

HIPAA Compliance for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance and Technology
HIPAA compliance is a vital part of any medical practice, especially as technology continues to advance. It is more important than ever that medical practices are safeguarding their protected patient health information (PHI). This is especially important for medical practices that work with partners to handle any of their sensitive information, such as billing or patient calls.

 

HIPAA Compliance Across the Care Continuum
New advances in technology allow the healthcare industry to be more efficient. Organizations can store and share data more easily through systems like electronic medical records (EMRs) software. Unfortunately, this created the side-effect of making patient data vulnerable in new ways.

 

Medical practices should be ready to look for HIPAA compliance anywhere their data goes. It’s important for medical practices to evaluate the risks to data exposure and take the appropriate documented steps to protect it. This includes vetting any partner exposed to or directly handling PHI.

 

What Information is Protected?
Under the Privacy Rule, all information that can be used to individually identify someone is protected. Protection occurs no matter what form the information takes. This information can include all historical data on a patient’s condition, what health care they’ve received, any billing information, and anything else that can reasonably be used to identify someone. This, of course, includes the expected information such as name, address, date of birth, etc.

 

The Privacy Rule leaves a little room for interpretation, so it’s best to protect all of the information you have on your patients to be safe.

 

Staying Adaptive and Vigilant
Technology continues to march forward with new innovations seemingly every day. It’s important to be able to understand how to utilize new security advances as well as the risks associated with new technology.

 

To stay HIPAA compliant you must always be vigilant to adapt and make changes in accordance with any new risks, whether from the technology you use or otherwise. This means it can be difficult to find a partner to trust for services such as an answering service, scheduling service, data storage, etc. Partners have to invest to become HIPAA compliant, with the right systems, training and more. Not every company is going to be able to, or willing to, make that investment.

 

What HIPAA Means for Your Partnerships
All authorized users of protected health information must be HIPAA compliant. This means that any of your partners that are authorized to handle your patient data must be compliant as well. They have to be just as vigilant as you and understand the intricacies of each regulation.

 

You need partners that don’t just offer HIPAA compliant services and products, but understand it and can help you proactively protect data and prevent fines. Establishing processes to vet your partners is key. Factors to account for in a partner can include but are not limited to: ensuring they provide a business-to-business agreement that outlines compliance measures, and that they place a concerted effort on mandatory, continuing education for all team members exposed to patient data, not just team members handling the data.

 

For additional information on HIPAA regulations HHS has provided a summary of the Security Rule.

 

HIPAA Compliance in Answering Services
An answering service is going to handle some of your patient’s most important data and be exposed to information such as their appointment types, personal/identifying information, diagnoses and more. They are also storing and conveying information to your practice, so it’s vital that they have the systems to meet the safety requirements and the ability to store data for the appropriate amount of time.

 

When looking for any partner, make sure that they have taken the steps required to be HIPAA compliant in advance so they don’t leave your patients’ data at risk and your organization accountable.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Sees Meritus Medical Center Stop Media Announcements

HIPAA Sees Meritus Medical Center Stop Media Announcements | HIPAA Compliance for Medical Practices | Scoop.it

Meritus Medical Center is one of a number of hospitals that has stopped issuing information about patient conditions to the media. The hospital announced on September 22 that this courtesy would be stopped.

 

The Health Insurance Portability and Accountability Act places certain restrictions on the disclosure of Protected Health Information to third parties, including the media. Just a few years ago, reporters would be able to call a healthcare provider to make an enquiry about the health status of a patient.

 

The hospital staff would provide general information about a particular patient’s condition if they were asked about a patient by name. The information disclosed would be restricted, so reporters would be advised for instance, that a patient was good, fair, stable or in critical condition.

 

Under HIPAA Rules this information may be disclosed to the media; however it is not mandatory for a hospital or healthcare provider to give out any information, except when it is in the public health interest to do so or if required by law enforcement officers to assist with an investigation.

 

HIPAA Rules See Patient Privacy Improved
Since the HIPAA Privacy Rule is now being enforced, and covered entities can face considerable fines for violations of the Rules covering the disclosure of PHI, many hospitals have now taken the decision to stop releasing any information on patients. They see it as a measure that will improve privacy and help avoid any inadvertent HIPAA violations.

 

In the case of Meritus Medical Center it was not only the risk of HIPAA violations, but the policy was changed to improve privacy standards for patients. Meritus Communications Manager, Nicole Jovel, said in a media announcement “In conversations with clinicians and administrators, we determined we needed to really increase the level of privacy we were providing.”

 

A Patient’s Status can Rapidly Change
There are also problems with such a simple classification of status and providing information when it is likely to change. Patients may slip from serious to critical, or may improve from one day to the next. It would not be fair to report a condition, if that information may be incorrect just a few hours later. In the case of newspapers which are printed the following day, they may contain inaccurate information before they even hit consumers’ doorsteps.

 

Patient Safety is a Major Consideration
Then there is the issue of confirming the identity of the caller, which in often impossible. The hospital treats numerous victims of domestic violence, and Jovel pointed out that the staff cannot be sure if they are giving information to an abusing partner.

The problem faced by Meritus is typical. There are too many variables to consider, and in a busy healthcare setting it is too easy for mistakes to be made. Ultimately those mistakes could prove detrimental to patients and the decision is made to stop issuing all reports to the media.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Comply with HIPAA

How to Comply with HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to protect patients' health information. Since its inception, health care providers have struggled with the need to protect patient privacy, share information, and keep paper work under control.


“When HIPAA came out, everyone was so afraid of penalties … but a lot of it was a reasonable recognition of patients' privacy that was already occurring in 99.9% of the cases,” said L. Lee Hamm, MD, Professor of Medicine and Executive Vice Dean at Tulane University School of Medicine in New Orleans.

 

“It added a lot of administrative burden and … it introduced a few things to make certain that people didn't inadvertently do something they shouldn't do.”

 

Electronic information


A part of HIPAA with which specialists in particular are concerned is sharing information among other health care providers. Entities covered under HIPAA are allowed to share private information with other health care professionals for the purposes of treatment, payment, and operations.

 

But Heinold said there are often delays during this process that can negatively impact quality of care and increase liability. This can occur when providers unnecessarily request patients' consent.

 

One of the most efficient ways to communicate among providers is via electronic communication. HIPAA was amended in 2009 to encompass the use of electronic health records with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

Fresenius staff is increasingly receiving communication about patients electronically through mediums such as text and instant messaging, Heinold said. While this can facilitate exchange of records, it also comes with inherent risks. Fresenius trains staff to provide the minimum necessary information when texting about patients.

 

Louis Liou, MD, Chief of Urology at Cambridge Health Alliance, said his organization's biggest HIPAA concerns relate to electronic information. To comply, Cambridge ensures that all physicians with smart phones have them password protected and that their e-mail is secure.

 

Cambridge physicians try to avoid texting patient information when possible, but if they must, they do not use any patient identifiers in the text messages.

 

“There are a lot of pitfalls that could potentially happen,” Dr. Liou said. “Thumb drives have given way to Cloud issues. I think potentially there can always be problems – no matter how failsafe you make the system, there is always human error.”

 

Dialysis settings


Another concern is the communal open-floor nature of some clinical settings, as is often the case in dialysis centers, which may make it difficult to protect patient privacy. Still, training staff and implementing privacy procedures can go a long way to meeting HIPAA requirements.

 

Rosemary Heinold, Director of Communications for Fresenius Medical Care North America, a dialysis services provider and manufacturer of peritoneal and hemodialysis machines and equipment, said their organization has a handful of practices that help them comply with HIPAA.

 

Although patients are examined on the dialysis floor, Fresenius clinics also offer private examination rooms. Patients are never required to be examined in an open setting and may request a private room for physician consultations.

 

Like most providers, Fresenius staff gives patients a notice of privacy rights, which individuals must sign. They also post a notice of their privacy practices at all treatment sites.

 

Fresenius providers also work by the “minimum necessary” rule. The staff only shares the least amount of information necessary with patients on the clinic floor, particularly when others are within earshot.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Strategies for Measuring HIPAA Compliance Efforts

Strategies for Measuring HIPAA Compliance Efforts | HIPAA Compliance for Medical Practices | Scoop.it

About 40% of large health care organizations do not take the time to measure how well their HIPAA compliance measures are working, according to Brian Wells, Chief Technology Officer of the cybersecurity firm Merlin International, headquartered in Vienna, Virginia. Most are unaware if they have thwarted cyberattacks, blocked malicious emails or kept staff from releasing inappropriate information.

 

“If they can't report that to the board, then they may stop giving them money to do more,” Wells said.

 

Measuring an organization's HIPAA strategy can be challenging. It is difficult to know if efforts to thwart cyberattacks have actually prevented breaches. “When ransomware like WannaCry comes out, it may be possible to say you protected yourselves,” he said. “If nothing bad has happened in a while, you can assume you are either doing a good job or just haven't been a target.”

 

How are providers supposed to measure HIPAA compliance effectiveness? Here are a few strategies for determining if an organization is on the right path using both internal and external resources.

 

A human touch
Wells works with hospitals now, but when he was on the medical practice side, his group performed annual testing on HIPAA regulations. The test was not hard, but everyone in the practice had to pass it. This not only lets a provider know where education is slipping through the cracks, but also provides a paper trail to point to should a practice get audited.

 

Adam Greene, a partner with Seattle-based Davis Wright Tremaine, also recommends informal testing to make sure people

 

understand their obligations under HIPAA. For example, the person in charge of HIPAA security can make a checklist to ask staff that includes questions like: “If someone wants to see something in their medical record, how would you respond?” Staff should know the patient has a right to records and the process involved in turning them over, be it filling out a form or directing the patient to the staff member who handles requests.

 

Another option is to assign an individual who would be accountable for walking around an office to ensure protected health information is secured properly. A few points to include would be ensuring computers are not facing toward patients; locked cabinets do not have the key hanging next to them; and people are logging out when they leave their computers.

“There could be a 10- to 20-question checklist and they can use it to see how they are doing and compare it over time,” said Marti Arvin, Vice President of Audit Strategy for CynergisTek, which is headquartered in Mission Viejo, California.

 

Arvin said an internal audit can be used to make sure staff members know where privacy policies are and that they are understood; whether all patients at their initial visit are provided with notices of privacy procedures; and if all of the staff members are receiving HIPAA training as they should.

 

Technology testing
Because health IT is constantly under attack, it would be difficult, expensive, and “voluminous” to show all of the attacks an organization has defended against, Greene said.

One option instead is to perform vulnerability scanning on a regular basis to examine if a system has unpatched software or other vulnerabilities. Another good practice is a phishing test. Here, an organization generates its own malware link and sends it to staff to see if anyone clicks.

 

Wells said an IT department can put in place a program that will check to see that people are only doing what they are supposed to be doing with their devices. It can also detect unmanaged devices that appear in the system. Electronic audit logs can be monitored to ensure people are not abusing their access.

 

Encryption is a must-have under HIPAA, and Greene said the best way to look at it is demonstrating that laptops are encrypted and will remain that way. For instance, someone with administrative rights can turn off encryption if they choose. But technical measures can be used to limit someone's ability to turn it off and to maintain compliance.

 

“Those things are really more to let you know how compliant you think you are,” Wells said. “For a full security audit, you are typically going to have to hire out.”

Keep it simple


Most physician practices are “dramatically under-resourced” in HIPAA staffing, Greene said. “The office administrator might be the privacy officer and maybe the security officer, too,” he said. “That is a lot of responsibilities, so providers need to give it some thought … and be careful about laying [extra responsibilities] on an office administrator who doesn't have enough time to do their regular job.”

 

Some of these auditing duties may need to be spread throughout an organization or hired out, but practices need to have an individual who is held accountable for auditing HIPAA policies. “There should be some oversight,” Arvin said. “Lots of practices give the title of security officer, but don't give resources or educate them on the responsibilities of overseeing the program.”

Greene also recommends making this a long-term endeavor. Instead of trying to look at all areas of compliance at once, he recommends starting with places where an office has had problems, where similar practices have had settlements, or where the Office for Civil Rights offers guidance.

 

For example, an individual responsible for HIPAA compliance might first spend some time ensuring staff members are providing patients with access to their records and if they are charging the right amount for them. Then he or she could move to other areas, such as disclosure of privacy practice guidelines.

“You can ultimately look at different regulatory requirements and create a master plan for how you are going to audit them,” he said. “Prioritize some immediately and others next year or the year after because they are seemingly lower risk.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Important HIPAA Compliance Issues in 2018

Important HIPAA Compliance Issues in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

As 2018 gets underway, experts offer advice on some important issues related to HIPAA compliance. One issue is patient access to medical records. Kathy Downing, vice president of information governance and standards at the American Health Information Management Association, said her organization receives many complaints from patients who have issues receiving medical information even though right of access has been in place since 2003.This area is what Downing calls “super low-hanging fruit on the HIPAA tree.” If patients request records, there is no need to make them wait 30 days. If the records are stored electronically, practices should allow patients to receive their information in that format.

 

“The reason this is important is because in a lot of the cases, patients may be seeing multiple providers for chronic conditions, and having their chart allows them to be more engaged in their care,” she said. “It's an important patient right, and important for population health and patient engagement.”

 

By giving patients their records, providers are also allowing them to do a quality review to ensure their information is correct. Electronic medical records commonly contain errors, mainly because of copying and pasting of data, Downing said.

 

If physicians are uncomfortable talking with patients about information in their charts, she recommends that practices appoint a nurse who can deal with patient queries. Portals can also be a good resource to guide patients through their information. If someone has been diagnosed with prediabetes, for instance, a portal can provide links to trusted online sources that can answer patient questions.

 

Increased enforcement?


Another HIPAA-related question facing medical practices this year is the Office for Civil Rights (OCR) approach to HIPAA enforcement. Michael Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, listened to remarks at a HIPAA conference last fall from the new OCR director. OCR might be striking a different tone as a new administration takes the reins. “How they balance the objectives of education and compliance with enforcement remains to be seen,” Bossenbroek said.

 

The OCR director gave no specifics, Bossenbroek said. Whatever approach emerges from OCR, as before, providers need to ensure they have the basics completed, with a risk analysis performed and solid policies and procedures in place.

 

Chris Apgar, CEO and president of Apgar & Associates LLC, in Portland, Oregon, said OCR has made it clear there will be continued enforcement activity in the coming years. No one is immune from them, he said. He recently worked with a small entity that had their wrists slapped by OCR. He helped them prepare a response, and when they failed to follow through with their plan, he had to mediate between the organization and OCR.

 

“If you respond to OCR in an appropriate and timely manner and follow through, they go away,” he said. “If you don't, they stick around. They are not going away.”

 

Shortage of security talent


Health care organizations will continue to face a shortage of information technology (IT) security talent in 2018, Apgar said. A report released this past summer by the US Department of Health and Human Services found that 3 out of 4 hospitals do not have a designated information technology (IT) security professional.

 

Larger organizations are better able than small groups to afford hiring IT talent, which can be expensive, Apgar said. But smaller organizations, which often delegate IT security to office staff who are already busy with other tasks, have options. Apgar recommends looking for students graduating from information security programs and bringing them on board as interns. Small groups do not require the same kinds of security setup that a Cleveland Clinic or Kaiser might need, and young individuals can help build and run systems. Organizations can grow a position with them when they are new in the field, although these individuals could leave when they become seasoned and expect a higher salary.


Vendors


With OCR increasingly scrutinizing and auditing business associates, it is important for practitioners to ensure their vendors are compliant. Apgar said the vendors he works with are increasingly motivated to do this for fear of losing customers. These customers – health care practitioners – are demanding proof of compliance.

 

To better understand a vendor's compliance, providers can request policies and procedures and ask to see their risk analysis and any other pertinent documentation. Some ask that vendors fill out a security questionnaire. Others go even further. Groups like Apgar's company can act as a third party to conduct a risk assessment, then attest in writing that a vendor has either mitigated or accepted risks found in the analysis.

 

New tools


It used to cost anywhere from $75,000 to $100,000 for a tool that would automatically monitor audit logs and send alerts if an anomaly is found for a hospital or larger clinic, Apgar said. Over the past couple of years, new options have hit the market that lowered the cost to $35,000 or less, which is a game changer for HIPAA compliance, he said.

 

“As more technology becomes affordable, there is a higher likelihood that regulatory bodies will push back and say providers have to use it,” Agar said. “If a hospital is generating and not regularly reviewing audit logs, they will look negligent to regulators.”

 

Technology tends to move with the needs of the market. For instance, as cyber crime has become increasingly prevalent, tools have been developed and marketed to prevent attacks. Some tools look both internally and externally in a network to see if unusual behavior is occurring, and sends an alert if any anomaly is found.

 

Keeping track of technology as it becomes more affordable is not always simple. Apgar said providers can look at IT newsletters and check with their state associations to stay atop of new and affordable tools coming on the market.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

more...
No comment yet.
Scoop.it!

Case Management and HIPAA information

Case Management and HIPAA information | HIPAA Compliance for Medical Practices | Scoop.it

An employee of the Iowa’s Mahaska County government alleged that another employee committed a HIPAA violation when she locked a member of the public inside a building where files containing PHI were stored unsecured, the Oskaloosa News reported.

 

Kim Newendorp, general assistant director for Mahaska County, told the Board of Supervisors this month that a fellow county employee had locked a member of the public in the Annex Building and left that person alone in the facility.

 

“This person was waiting for me, but in doing so, she left all of the case management confidential and HIPAA information unlocked and accessible to that person. This is a HIPAA violation,” Newendorp told the board.

 

Newendorp said she notified her boss, one of the board members, about the incident but received no response. She then spoke with the county’s chief privacy officer, Jim Blomgren, who passed information about the incident on to the company that handles human resources for the county. No action was taken.

 

Newendorp said that she filed an official grievance with the Board of Supervisors, who passed it onto Blomgren, who then passed it on to the HR people, again with no result.

 

“I’m disappointed this situation has not been handled,” she told the board. “Especially due to the importance of HIPAA. The state DHS official has come forward to say that this situation is an issue, and yet nothing has been done.”

 

“I understand this topic may not be as important to you as roads, 911, and the airport, but I can tell you that the people’s right to have their personal information locked and secured is important to the hundreds of past clients of Mahaska County Case Management, and their families and myself.”

 

Willie Van Weelden, chairman of the Mahaska County Board of Supervisors, said he took action at the time, but declined to say what he specifically did to address Newendorp’s concerns.

Oskaloosa News asked Blomgren to comment on Newendorp’s testimony. “Since the comments of the employee at the meeting of the Board of Supervisors involves personnel issues and alleged HIPAA infractions I do not believe I am at liberty to discuss them,” he responded.

 

“I think in most counties, the board of supervisors, you would never do an investigation into HIPAA. You would never do a human resources investigation. No county I know of would have their board do that,” Paul Greufe of PJ Greufe & Associates told Oskaloosa News.

 

Greufe said that most counties hire professional services such as his to do the HR work and would direct those people to start an investigation. “And so that was the process that was followed to the letter.”

SIMILAR INCIDENT IN BOSTON RESULTS IN OCR REPORT

The incident alleged by Newendorp is similar to one that occurred at the Boston Healthcare for the Homeless Program (BHCHP) earlier this year. In that case, someone was not let into the facililty unattended but broke in.

 

There was unsecured PHI in the facility, but no evidence that the PHI was viewed by the intruder. Still, BHCHP did notify people affected about the incident and reported it to OCR. 

 

The unsecured PHI included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications. BHCHP told OCR that 861 individuals were affected by the breach.

BHCHP said it conducted an internal investigation that included a search of the clinic to which the intruder would have had access and interviews with clinic and shelter staff.

 

The program also ensured that the clinic door was secure and implemented additional safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets.

 

BHCHP also updated its policies governing how staff use and store patient information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Best Practices for HIPAA Compliance 

10 Best Practices for HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

A failure to understand HIPAA requirements can be a very costly mistake, as CardioNet learned just a couple months ago. In April, the wireless health services provider agreed to a settlement of $2.5 million for a potential noncompliance with the HIPAA Privacy and Security Rules. (1) The violation occurred when a company laptop containing the ePHI of 1,391 individuals was stolen from an employee’s vehicle parked outside their home. The Office for Civil Rights (OCR)’s investigation revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. In addition, the company’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. CardioNet was also unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. 

 

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected. 

 

Most HIPAA violations can be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring all individuals with access to patient information receive the proper training. Below are ten best practices for keeping your practice HIPAA compliant.

 

10 Best Practices for HIPAA Compliance

  • Implement safeguards such as password protected authorization and encryption to access patient-specific information on all computers, laptops, and devices.
  • Practices should keep all patient paperwork, charts, and records locked away and safe out of the public's view. Never leave patient information out or unattended.
  • Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
  • Ensure all computers have updated anti-virus software installed. This will help keep a practice guarded against malicious software.
  • Limit emailing PHI if the information can be sent another way. When faxing PHI, always use a cover sheet.
  • Always properly dispose of information containing PHI by shredding paper files.
  • Make sure employees are aware that using social media to share patient information is considered a violation of HIPAA law.
  • If patient information is being accessed at home, ensure all home computers and laptops are password protected.
  • Back up all disks that contain PHI. Store patients’ information in a HIPAA compliant cloud server.
  • Compliance training is one of the simplest ways to avoid a violation. Practices should provide ongoing, up-to-date training on the handling of PHI for all employees.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Recent Ransomware Attacks Could be HIPAA Violations

Recent Ransomware Attacks Could be HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it
By now, you may have heard about the massive ransomware attack that has struck over 150 countries, including The United States, over the past week.
 
If health care data taken hostage in a ransomware attack is unencrypted, it could constitute a HIPAA violation. Any electronic protected health information (ePHI) that is affected by a breach without proper encryption methods in place is very likely to be compromised in the event of a ransomware attack.
 
These recent attacks come out of a growing trend in malware incidents over the past year. OCR has released guidance about how to handle a ransomware incident in your health care practice. The federal government has stressed the importance of safeguarding your organization and protecting your confidential patient data.
 
 
If you’re interested in protecting your organization from a ransomware incident–and want education about how to prevent ransomware attacks from spawning HIPAA breaches and fines–attend the upcoming webinar.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA liability protections: business associate agreements are must for effective risk management

HIPAA liability protections: business associate agreements are must for effective risk management | HIPAA Compliance for Medical Practices | Scoop.it

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

 

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

 

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

 

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

 

  • establishes the permitted uses/disclosures of PHI,
  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
  • extends the terms of the BAA to its subcontracts, and
  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

 

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

 

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

 

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

 

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

 

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

You’ve seen the headlines splashed on TV and across the internet: data breaches hit national businesses such as Target, Chipotle, and many large healthcare systems.

 

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

 

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

 

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

 

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

 

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

 

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

 

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

 

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

 

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself. Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Legislation Changes and New HIPAA Regulations

Legislation Changes and New HIPAA Regulations | HIPAA Compliance for Medical Practices | Scoop.it

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

 

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

 

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

 

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

 

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

 

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

 

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

 

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

 

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

 

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

 

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

 

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.

 

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.

 

HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.

 

One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.

 

Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.

 

Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.

 

According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”

 

Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.

 

When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.

 

HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

8 Ways HIPAA Compliant Cloud Phone Systems Help Healthcare

8 Ways HIPAA Compliant Cloud Phone Systems Help Healthcare | HIPAA Compliance for Medical Practices | Scoop.it

If you work in a pharmacy, insurance company, hospital, or any kind of healthcare practice, you know about HIPAA. The Health Insurance Portability and Accountability Act of 1996obligates all healthcare providers or payers to safeguard the privacy and integrity of the personal health information, or PHI, of patients. You also know that it's about much more than securing digital data files: It's what obligates the pharmacy technician to ask customers in line to step back from the pickup counter; it's what requires hard copy patient records to be kept out of reach of unauthorized personnel.

 

Also under HIPAA's umbrella? Telephone usage.

As with oral or written information, compliance in digital voice and video is achieved through a combination of technology tools and proper practices. When you store it, (think voicemails, recorded calls) digital voice puts the "e" in ePHI (electronic personal health information) where HIPAA's more stringent security (as opposed to privacy) rules apply. Here, it's important not just to keep patient information from unauthorized persons; it's important to ensure such data is locked down or encrypted in such a way that it can't be accessed or changed.

It's no small chore to establish HIPAA compliance; that's why few hosted VoIP providers have performed the required policy and procedure improvements, documentation, employee training, ongoing monitoring, and physical security audits. Some, however—including OnSIP—have taken this step. By being certified to sign the Business Associate Agreements that HIPAA requires, providers assure customers that they take on responsibility for compliance as regards their voice and video platform. In the process, they extend to healthcare the considerable benefits of cloud communications that non-regulated industries have enjoyed for years.

 

Here are eight examples of how a healthcare practice can benefit from an HIPAA-compliant cloud phone system:

1. Share phone numbers, recordings, menus, and more across multiple locations.

Cloud communications can bring multiple sites under one shared administrative account. This not only saves money previously spent on individual phone lines, but also lets users dial any phone as a in-network extension, with call handling functions such as hold and transfer. OnSIP's network-wide encryption ensures that such calls cannot be tapped at any point on the IP network. (For a good example of how this works, see how Open Arms Treatment Center unified multiple office locations.)

2. Pool personnel across multiple locations to reduce calls on hold and provide foreign language assistance.

With system-wide call queuing, multi-site practices or insurance companies can pool office staff in every location to answer all incoming calls to a main number, reducing patient wait times. If they want to respond even faster, they can even recruit home-based workers. These remote staff can use personal computers or phones as extensions on the network. Organizations can also leverage, for example, the Spanish-speaking staffer in one location to handle Spanish-speaking callers to all other sites.

3. Provide staff with EHRs and patient information from PMS apps upon incoming calls.

Just as cloud phone systems are easily integrated with business CRM software to pop customer information on customer service agent screens, an integration with a PMS can pop patient info, saving office staff time in making appointments or handling insurance claims. Such integrations also makes it easier to dial out to patients, by enabling click-to-dial functionality on a computer. It further helps ensure that patients are reached through the numbers they requested to receive calls—as required by HIPAA—since it is easy to embed those clickable numbers prominently on their records.

4. Make and receive calls with professional caller ID from any phone or location.

Many cloud phone system providers offer softphone applications that run on a computer or smartphone. These apps allow users to access the phone system remotely, so doctors can answer work calls and view inbound caller ID information, no matter where they are. They can also easily transfer calls colleagues. When they need to make a work call, their outbound caller ID will display the office phone number, a favorite feature for on-call staff who may be away from the practice and carry only their personal phone.

5. See who's available across the organization to receive transferred calls.

With a clear view of coworkers' availability—available on some services—users can avoid transferring patients' calls to unattended extensions or voicemail, averting frustration. When staff are there to answer, patients can be transferred from lab results to follow-up scheduling or refill requests, accomplishing more with each call.

6. Video calling can extend physician reach to underserved areas and workplaces.

While patients are by now well acquainted with video calling, the Skype and Facetime appsthey use are not HIPAA compliant. If a HIPAA-certified cloud phone service includes video calling, practitioners can leverage this richer medium for better informed (and more billable) consultations. These calls can support technician-assisted telehealth visits and remote medical device readings, extending clinicians’ reach into underserved areas. Technician-assisted medical kiosks, equipped with video calling and devices such as digital stethoscopes and blood-pressure monitors, have been installed in workplaces to encourage employees to take better care of their health.

7. Video calling aids and encourages use of online patient portals.

Since voice and video sessions can be provided through a web browser, video chat can be embedded in an online patient portal. Being able to see the medical assistant, say, answering questions, may encourage more patients to sign up for these increasingly popular portals. By logging into a secure website, patients can access personal information as well as view lab results, send secure messages to doctors, track immunization records, and schedule appointments.

8. Easily retrieve voicemails and other call recordings attached to EHRs and PMRs.

Many hosted VoIP services offer call recording, which is gaining use in healthcare settingsfor a variety of reasons, from documenting remote visits, to training employees, to protection from spurious malpractice suits. As a digital file containing individually identifiable health info, these recordings require encryption in transit and at rest. With a HIPAA-certified cloud service and proper policy enforcement, these recordings can be securely shared among other members of the practice group, or attached to a patient record in a similarly secured practice management or EHR system.

 

At the end of the day, healthcare organizations must recognize that HIPAA compliance is only one part technology. Policy establishment and documentation, training, and enforcement make up the other parts. Oral, paper, and digital media, storage strategy and messaging must be thoroughly considered.

 

If you’re considering a cloud phone system for your office or practice, a good place to start is by reviewing HIPAA’s privacy and security rules. Since at least 11 states add more stringent patient protections to the ones imposed federally, their rules must be reviewed as well. For this, we recommend Health Information & the Law, a project of the George Washington University's Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation. If you provide medical care, you should consult a lawyer familiar with your state’s health privacy laws. Finally, you should also commission a third-party auditor to determine what parts you may be missing before implementing a cloud-based communications solution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Fax Sent to Wrong Number Results in HIPAA Violation

Fax Sent to Wrong Number Results in HIPAA Violation | HIPAA Compliance for Medical Practices | Scoop.it

One morning, the office manager got a call from one of the practice's patients, Mr. M, a 52-year-old, HIV-positive man who had been seeing Dr. G for a decade. Although he was happy with the treatment he had been receiving, Mr. M's company was promoting him and he was relocating to another town. He called to ask Dr. G to fax his medical records to his new urologist.

 

The office manager was juggling numerous tasks, but managed to send the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed off once a week which had spaces to fill in the “to” and “from” sections. She hurriedly filled them in and shot off the fax, one of several she had to do before checking in the next patient.

 

At the end of the day she told Dr. G that it had been done. He thought nothing of it until the following Monday when the office manager came into the back office to speak to him. She was pale and looked shaken, and the physician immediately asked if she was okay.

 

“It's Mr. M,” the office manager said. “He just called – absolutely furious. He says that we faxed his medical records to his employer rather than his new doctor, and that now his company is aware of his HIV status. He is extremely upset.”

 

“I'm so sorry,” the office manager said tearfully. “I was the one who sent that fax out. I must have accidentally grabbed the wrong number from his file. What should we do?” She looked at Dr. G for guidance.

 

Dr. G was holding his forehead, and trying to figure out how to remedy the situation. “The first thing we're going to do is to call Mr. M and apologize. Then we'll take it from there.”

 

The office manager and Dr. G called Mr. M and apologized profusely for the mix-up. Mr. M understood that it had not been done maliciously, but he was still not satisfied and reported the incident to the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).

 

An initial investigation indicated that the incident was not criminal and so it was not referred to the Department of Justice.

 

Rather, it was handled by the OCR. OCR officials appeared at Dr. G's office to look into the matter, and after a thorough investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office revise the fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.

 

Legal Background
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, protects personally identifiable health information of patients, and specifies to providers how such information may be used. HIPAA has been in effect for about a decade, and in that time, the HHS has received a total of almost 80,000 complaints.

 

Of those, more than 44,000 were dismissed, 19,000 were investigated and resolved with changes to privacy practice, and 9,000 were investigated but no violations were found. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement.

 

The top two compliance issues most frequently investigated are impermissible use and disclosure of protected health information and lack of safeguards for protected health information.

 

When a HIPAA complaint is filed with the HHS, the first determination made is whether there was a possible privacy violation and whether it was of a criminal nature. If it was determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution.

 

If it was determined that it was not a criminal issue (as in this case) the violation is investigated by the OCR. If it is determined that a HIPAA violation did, in fact, take place, the OCR can either obtain voluntary compliance, corrective action or some other voluntary agreement with the offender, or the OCR can issue a formal finding of violation and force the offender to change its practices.

 

In this particular case, the office manager and Dr. G recognized the mistake and immediately tried to take corrective action by apologizing to the patient. Dr. G's office also voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.

 

Protecting Yourself
This particular scenario was the result of a careless error. While a careless error can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status.

 

Confidential patient records must be treated with the greatest of care as they contain information of an extremely personal nature. Many HIPAA cases have involved the unintentional divulging of the HIV or AIDS status of a patient.

 

In a similar case, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. And in a case that took place in a hospital, a nurse and orderly lost their jobs for discussing a patient's HIV status within earshot of other patients.

 

A good rule of thumb is to treat a patient's confidential information as you would want yours to be treated, and then add a little extra security for good measure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Massachusetts Physician Guilty in HIPAA Case

Massachusetts Physician Guilty in HIPAA Case | HIPAA Compliance for Medical Practices | Scoop.it

Recently, a gynecologist was sentenced to 1 year of probation for violating HIPAA laws and obstructing an investigation into a federal health care probe.

 

Rita Luthra, MD, who treated women in a low-income area of Springfield, Massachusetts, was convicted this past April of allowing a pharmaceutical representative from Warner Chilcott improper access to patient records. While the case is unique—providers have rarely been charged criminally under HIPAA—it is a cautionary tale about the potential implications for improper disclosure.

 

Federal charges
Dr Luthra's conviction stemmed from a larger Department of Justice (DOJ) investigation into Warner Chilcott's practices. The pharmaceutical company, which was purchased in 2015 by Allergan plc, was investigated on allegations of paying kickbacks to physicians to entice them to prescribe its medications to patients; false marketing for Actonel, a drug prescribed for treatment of osteoporosis; and manipulating prior authorizations for its other osteoporosis drug, Atelvia.

 

The DOJ reached a $125 million settlement with the company in 2015. Dr Luthra was found to be one of the physicians accused of taking part in Warner Chilcott's practices. She was originally brought up on kickback charges, with investigators claiming she received more than $23,000 for prescribing their osteoporosis medication. They claimed she was paid approximately $750 on numerous occasions to hold educational events in her office for the pharmaceutical company.

 

But those charges were dropped, and a revised indictment for HIPAA charges was filed. Prosecutors claimed she gave a sales representative patient information in order to fill out forms to get an insurer to cover the drugs. She was also convicted on an obstruction charge for allegedly lying to the DOJ about why she was paid by the pharmaceutical company.

 

Luthra could have received up to 6 years in prison and a $300,000 fine for both charges. The judge on the case, however, said that the loss of her license and probation was enough of a sentence. He reportedly considered her work for years serving patients in lower-income communities during sentencing.

 

Pandora's box
Criminal prosecutions under HIPAA are not common, but Conor Duffy, a lawyer with Robinson & Cole LLP, said it is reflective of a growing trend.

 

“Prosecutors appear to utilize criminal charges under HIPAA in part as a fall back or as leverage against a provider, because proving HIPAA violations can be easier than proving the existence of an illegal kickback arrangement,” Duffy said. “The Massachusetts case is notable in that the government ended up dropping its kickback allegations but nonetheless prosecuted the physician for a HIPAA violation.”

 

There have been a few other cases where criminal charges were applied through HIPAA, most involving providers improperly using the information or providing it to others for financial gain. In one such case, a Florida nurse used the information of more than 600 of her patients to file false tax returns with potential refunds of more than $220,000. She was sentenced to more than 3 years in prison and fined.

 

“Some people are doing it for personal benefit, and it's happening more often than would be hoped for,” said Matthew Fisher, a law partner at Mirick, O'Connell, DeMallie & Lougee LLP.

When prosecutors file criminal charges, “they will come up with every single charge they can think of so one will stick,” Fisher said. Filing multiple charges allows them not only to find one that's valid, but also allows for negotiation. And when the government begins investigating, they will likely find some issues.

 

“Once they start looking around they will find something even if it's not why they came in the door,” Fisher continued “The regulations are so complex it's difficult to be 100% compliant and as a physician, you have to live with what comes out of that.”

 

Stay in compliance
This case provides a good warning, particularly for smaller organizations, that HIPAA applies to practices of all sizes, according to Amy Joseph, senior counsel at Hooper Lundy & Bookman PC. It is a reminder to avoid disclosing information unless it is for treatment, claim payment, internal health care operations, the patient has authorized the disclosure, or another limited exception applies.

 

“Disclosure for purposes other than treatment, payment, or health care operations need to be scrutinized,” Joseph said. “Get help, talk to your counsel. Just because someone else is in health care it doesn't mean they are going to protect the information or are asking for it for legitimate purposes. It's better to be more cautious than not.”

 

Duffy said personal relationships, such as those with some pharmaceutical sales representatives, should be monitored. These salespeople are “trained to cultivate business by building such relationships.”

 

“Providers also need to be careful to not rationalize potentially illegal acts—like allowing a sales representative to use identifiable health information to facilitate prescriptions of a drug for a patient—on the basis that a patient could ultimately benefit from a drug or device, because the laws governing these interactions do not take that into account,” he said.

 

If a provider gets into a situation where a pharmaceutical representative, medical device company, or other similar health care organization is calling and asking for patient information, Fisher recommends taking a step back before providing it. Providers should look at the relationship they have with the organization. They might be using it for valid purposes such as clinical trials or reporting to the FDA.

 

Most providers will shrug and say they would never get into the kind of situation Dr Luthra did, but Fisher said it is not always such an obvious delineation between when information should and should not be given out.

 

“If they are calling out of the blue and you're not clear why the connection is being made, question it and don't just volunteer that information,” Fisher said. “It's not a defense to say, ‘They told me it was OK and I never really thought about it.' You're always responsible for your own actions; no one is forcing you to do anything.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Rule Can Be Tool for Health Information Exchange

HIPAA Privacy Rule Can Be Tool for Health Information Exchange | HIPAA Compliance for Medical Practices | Scoop.it

Rather than being a barrier to information sharing and interoperability, the HIPAA Privacy Rule can be seen as a tool to facilitate health information exchange and flow across the health ecosystem, argued OCR and ONC in an Aug. 30 blog post. 

 

The HIPAA Privacy Rule provides individuals with a right to access information in their medical and other health records maintained by a HIPAA covered entity, such as an individual’s healthcare provider or health plan, noted ONC Chief Privacy Officer Kathryn Marchesini and OCR Acting Deputy Director for Health Information Privacy Timothy Noonan.

 

The authors wrote that the 21st Century Cures Act, enacted in 2016, among other things called for greater individual access to information and interoperability of healthcare records. The act directed HHS to address information blocking and promote the trusted exchange of health information.

 

 

“Information blocking occurs when a person or entity – typically a health care provider, IT developer, or EHR vendor – knowingly and unreasonably interferes with the exchange and use of electronic health information,” ONC explained.

 

ONC and OCR recently began a campaign encouraging individuals to access and use copies of their healthcare records.

The two HHS offices are offering training for healthcare providers about the HIPAA right of access and have developed guidance to help consumers take more control of decisions regarding their health.

 

These guidelines include access guidance for professionals, HIPAA right of access training for healthcare providers, and the Get It. Check It. Use It. website for individuals.

The authors also noted that the HIPAA Privacy Rule supports the sharing of health information among healthcare providers, health plans, and those operating on their behalf, for treatment, payment, and healthcare operations. It also provides ways for transmitting health information to relatives involved in an individual’s care as well as for research, public health, and other important activities.

 

“To further promote the portability of health information, we encourage the development, refinement, and use of health information technology (health IT) to provide healthcare providers, health plans, and individuals and their personal representatives the ability to more rapidly access, exchange, and use health information electronically,” they commeted.

 

The Centers for Medicare & Medicaid Services (CMS) and the National Institutes for Health (NIH), along with the White House Office of American Innovation, are working to support the exchange of health information and encourage the sharing of health information electronically.

 

For example, CMS is calling on healthcare providers and health plans to share health information directly with patients, upon their request.

 

Also, NIH has established a research program to help improve healthcare for all individuals that will require the portability of health information.

 

The White House’s MyHealthEData initiative, which originated from President Donald Trump’s 2017 executive order to promote healthcare choice and competition, aims to break down the barriers preventing patients from having access to their health records.

 

The executive order directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions.” The order is part of a broader effort to increase market competition in the healthcare market.

 

ONC developed a guide intended to educate individuals and caregivers about the value of online medical records as well as how to access and use their information. ONC also produced videos and fact sheets to inform individuals about their right to access their health information under HIPAA.

 

“It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” said National Coordinator for Health Information Technology Don Rucker. “This guide will help answer some of the questions that patients may have when asking for their health information.”

 

The agency said that an individual’s ability to access and use health information electronically is a cornerstone of its efforts to increase patient engagement, improve health outcomes, and advance person-centered health.

 

ONC noted that the guide supports both the 21st Century Cures Act goal of improving patient access to their electronic health information and the MyHealthEData initiative.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.