HIPAA Compliance for Medical Practices
73.9K views | +29 today
Follow
 
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

You’ve seen the headlines splashed on TV and across the internet: data breaches hit national businesses such as Target, Chipotle, and many large healthcare systems.

 

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

 

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

 

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

 

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

 

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

 

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

 

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

 

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

 

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself. Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Six Common HIPAA Violations and how you can prevent them

Six Common HIPAA Violations and how you can prevent them | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an ongoing process.  Do you have security and privacy policies and procedures for your organization?  Do you review your policies and procedures periodically? Is your HIPAA training planned for new employees and to update everyone as necessary?  Do you know where the gaps are in your data security and do you have a plan to address these gaps?  Do your vendors and their staff follow a culture of privacy?

 

Our Managing director, Rema Deo has created a list of the top 6 HIPAA Violations 24By7Security staff have found, based on over 500 security risk assessments conducted by our security analysts for healthcare organizations ranging from one doctor practices to multi-location hospitals.  This list of HIPAA violations comes complete with appropriate risk mitigation recommendations that can help you in your organization. 

  

1. Lack of Business Associate Agreements (BAAs) with your vendors

Often healthcare organizations, especially the smaller to medium sized medical practices, fail to enter into Business Associate Agreements with their vendors or business associates. These vendors could range from a small IT vendor to large Electronic Health Record System (EHR).  Sometimes, smaller practices use free insecure email and even use insecure email to share or communicate PHI. This puts them at unnecessary risk.  Healthcare providers should also note that business associate agreements should be dated after the Omnibus Final Rule came into effect, i.e. after January 2013.   

How can you mitigate this risk when it comes to Business Associate Agreements?

  1. Prevent this risk by getting HIPAA-compliant Business Associate Agreements signed with all your vendors or business associates who have access to PHI.
  2. Be sure to always use secure means of transmission of PHI, and enter into a Business Associate Agreement with the vendors who are providing this secure transmission.  For example, secure email providers, external cloud storage solutions, EHR systems, and such providers usually have HIPAA-compliant service options where they provide business associate agreements.

 

2. Loss or theft of portable devices

Many covered entities take insufficient steps to safeguard PHI especially on thumb drives and other portable devices. The Office of Civil Rights (OCR) is clear that loss of PHI is not considered a breach if it is properly encrypted.

Mitigate your risk in case devices are lost or stolen

  1. Covered entities must ensure that their portable devices, thumb drives, laptops, computers and servers are all encrypted.
  2. Drives, storage devices and other portable devices storing PHI must be kept locked when not in use.
  3. Develop, implement and maintain an appropriate data backup policy.  Ensure that backups are encrypted as well.

 

3. Failure to complete an enterprise-wide Risk Analysis

OCR has also often found that failure to complete an enterprise-wide risk analysis is a HIPAA violation, and they have levied significant penalties and fines on entities who could not show evidence of having completed an enterprise-wide risk analysis.  The case of the large fine imposed on Anthem recently is an example of this.  We mentioned this breach and the monumental price tag that came with it in our October Newsletter.

Mitigate your risk of fines in the event of an audit

  1. All areas of the enterprise should be covered with periodic, thorough enterprise-wide security risk analysis.
  2. The risk assessment or analysis should be repeated periodically and after any major changes. We recommend doing this annually as a best practice.
  3. Review your findings from the Risk Analysis and prepare an action plan with remediation plans and target dates.

 

4. Insufficient physical safeguards or keeping PHI unlocked or easily accessible

Paper files are often kept unlocked. This practice carries a risk of penalties if your data is breached.

Mitigate your risk of unauthorized PHI access

  1. We recommend keeping paper files with PHI locked 
  2. IT closets/ network/ security/ server equipment should also be kept locked to prevent unauthorized access.

 

5. Lack of HIPAA security and privacy policies and procedures. 

Often covered entities do not maintain and implement satisfactory HIPAA security and privacy policies and procedures.  Or even if they have policies and procedures, not all of them review and update their policies and procedures periodically. 

Mitigate your risk

  1. Take the time to prepare and maintain policies and procedures.
  2. Review these policies and procedures annually or after a major change.
  3. Ensure that employees are trained on your policies and procedures, and follow them.

 

6. Delays in reporting breaches as per the breach notification rule.

Breaches affecting more than 500 patients are required to be reported to the Department of Health and Human Services (HHS) within 60 days of being discovered.  It’s bad enough to delay reporting to HHS, but covered entities may often not be aware of state-level breach notification requirements.  Some states like Florida can be very strict with breach notification delays. Florida, under the Florida Information Protection Act, has 30-day breach notification requirements and other specific rules depending on the number of records breached. The fines are also drastic, an example being $1000 per day for every day late for the first 30 days and more stringent penalties after that. All 50 states have enacted laws regarding breach notification.

Mitigate your risk of penalties for failing to report breaches in a timely manner

  1. If you suffer a breach, be sure to take legal advice in terms of all the requirements in your industry and location.
  2. Ensure that you are aware and comply with your state or location specific breach reporting requirements in addition to federal HIPAA breach notification rules.
  3. Cyber Insurance can help mitigate some of the expenses of a breach, but take a close look at what is covered and what you need to be doing in order to maintain coverage.

Don't risk making one of these costly mistakes!  Schedule your HIPAA risk assessment, HIPAA training for you and your staff, and prepare and/ or review your Policies and Procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Benefits of HIPAA Compliance Services for Physicians

The Benefits of HIPAA Compliance Services for Physicians | HIPAA Compliance for Medical Practices | Scoop.it

As a doctor, you have your hands full just taking care of your many patients, running a practice, and providing quality healthcare service. The last thing you need to worry about is whether your practice is being managed properly when it comes to Health Insurance Portability and Accountability Act (HIPAA) compliance.

 

HIPAA regulations can be complex – at least to an inexperienced or understaffed office management team – and there’s no margin of error for unintended breaches that can lead to costly penalties. That’s why it’s important that your practice utilizes professional HIPAA compliance services that offer these key benefits:

Protection against rampant data breaches

HIPAA data breaches happen at an alarming rate. Employee carelessness is a major contributing factor.  According to the HIPAA JournalData breaches caused by employee carelessness have increased year on year. More unencrypted devices are being lost, data still is being inadvertently disclosed, and simple email errors are still being made. Performing regular training on data privacy and security can help to reduce the number of data breaches suffered.”

 

To reduce – if not eliminate – your risk, you may need on-site compliance experts who are not only able to answer your questions at every step during the process, but who can educate and empower your workforce. These experts can provide real-time advice for best practices for securely handling protected health information, protecting patient privacy, and understandinghow to avoid potential breaches.

A customized HIPAA risk management plan

No two practices are alike. Which is why your HIPAA risk management plan must be unique for your practice. Look for a compliance service provider with decades of experience in internal investigations, regulatory compliance, inspection, facility security, risk mitigation, and health information technology can give your practice an invaluable preventative edge.

Supporting evidence that your practice is exercising due diligence

The greater your medical practice can demonstrate its efforts to exercise reasonable diligence to mitigate risk, the greater your chances of avoiding civil monetary penalties. In the event of a breach of electronic medical records, or if your practice is subjected to a HIPAA compliance investigation, your compliance services provider can provide assistance in sufficiently answering any questions the HHS Office for Civil Rights (OCR) may ask about your compliance program.

 

Colington Consulting takes the uncertainty out of what is reasonable and appropriate for HIPAA compliance for your practice. We provide HIPAA risk assessments and on-site facility security surveys by our team of experts. Unlike other service providers that use web-based formats and expect you to answer questions you can hardly understand, we always conduct the assessment, value your input, and use a common-sense approach to compliance.

 

We are experts in the field of HIPAA rules and procedures. Colington Consulting can help you avoid problems and steep fines by bringing your practice into complete HIPAA compliance. It is what we do best, allowing you to do what you do best … provide health care to your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
bizconnect's comment, April 24, 7:53 AM
Nice information.
Scoop.it!

How Do I Become HIPAA Compliant?

How Do I Become HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.

 

Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

 

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

 

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC2 level of compliance, and strict admin controls among other required security capabilities.

 
 

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing serious disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services.  This can add up to significant dollars, even before confirming the extent of the breach.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

    • First, the right to authorize disclosure of their health information and records.
    • Second, the right to request and examine a copy of their health records at any time.
    • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

 

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

    • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
    • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
    • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
    • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

    • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
    • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
    • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
    • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
    • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

    1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
    2. The identity of the unauthorized person who received or used the PHI;
    3. Whether the PHI was viewed or acquired; and
    4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

  • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

 

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

 

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

 

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

 

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

 

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

 

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

 

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

 

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

 

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

    • Have you distributed the policies and procedures specified to all staff members?
      • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
      • Have you documented their attestation, so you can prove that you have distributed the rules?
      • Do you have documentation for annual reviews of your HIPAA policies and procedures?
    • Have all your staff members gone through basic HIPAA compliance training?
      • Have all staff members completed HIPAA training for employees?
      • Do you have documentation of their training?
      • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
    • Have you identified all business associates as defined under HIPAA rules?
      • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
      • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
      • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
      • Do you have written reports to prove your due diligence regarding your Business Associates?
    • Do you have a management system in place to handle security incidents or breaches?
      • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
      • Can you demonstrate that you have investigated each incident?
      • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
      • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

    • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
    • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
    • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
    • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
    • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
    • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
    • Workforce members include:
      • Entity employees
      • On-site contractors
      • Students
      • Volunteers
    • Information systems include:
      • Hardware
      • Software
      • Information
      • Data
      • Applications
      • Communications
      • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Best Practices for HIPAA Compliance 

10 Best Practices for HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

A failure to understand HIPAA requirements can be a very costly mistake, as CardioNet learned just a couple months ago. In April, the wireless health services provider agreed to a settlement of $2.5 million for a potential noncompliance with the HIPAA Privacy and Security Rules. (1) The violation occurred when a company laptop containing the ePHI of 1,391 individuals was stolen from an employee’s vehicle parked outside their home. The Office for Civil Rights (OCR)’s investigation revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. In addition, the company’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. CardioNet was also unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. 

 

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected. 

 

Most HIPAA violations can be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring all individuals with access to patient information receive the proper training. Below are ten best practices for keeping your practice HIPAA compliant.

 

10 Best Practices for HIPAA Compliance

  • Implement safeguards such as password protected authorization and encryption to access patient-specific information on all computers, laptops, and devices.
  • Practices should keep all patient paperwork, charts, and records locked away and safe out of the public's view. Never leave patient information out or unattended.
  • Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
  • Ensure all computers have updated anti-virus software installed. This will help keep a practice guarded against malicious software.
  • Limit emailing PHI if the information can be sent another way. When faxing PHI, always use a cover sheet.
  • Always properly dispose of information containing PHI by shredding paper files.
  • Make sure employees are aware that using social media to share patient information is considered a violation of HIPAA law.
  • If patient information is being accessed at home, ensure all home computers and laptops are password protected.
  • Back up all disks that contain PHI. Store patients’ information in a HIPAA compliant cloud server.
  • Compliance training is one of the simplest ways to avoid a violation. Practices should provide ongoing, up-to-date training on the handling of PHI for all employees.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Recent Ransomware Attacks Could be HIPAA Violations

Recent Ransomware Attacks Could be HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it
By now, you may have heard about the massive ransomware attack that has struck over 150 countries, including The United States, over the past week.
 
If health care data taken hostage in a ransomware attack is unencrypted, it could constitute a HIPAA violation. Any electronic protected health information (ePHI) that is affected by a breach without proper encryption methods in place is very likely to be compromised in the event of a ransomware attack.
 
These recent attacks come out of a growing trend in malware incidents over the past year. OCR has released guidance about how to handle a ransomware incident in your health care practice. The federal government has stressed the importance of safeguarding your organization and protecting your confidential patient data.
 
 
If you’re interested in protecting your organization from a ransomware incident–and want education about how to prevent ransomware attacks from spawning HIPAA breaches and fines–attend the upcoming webinar.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA liability protections: business associate agreements are must for effective risk management

HIPAA liability protections: business associate agreements are must for effective risk management | HIPAA Compliance for Medical Practices | Scoop.it

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

 

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

 

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

 

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

 

  • establishes the permitted uses/disclosures of PHI,
  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
  • extends the terms of the BAA to its subcontracts, and
  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

 

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

 

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

 

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

 

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

 

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

You’ve seen the headlines splashed on TV and across the internet: data breaches hit national businesses such as Target, Chipotle, and many large healthcare systems.

 

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

 

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

 

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

 

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

 

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

 

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

 

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

 

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

 

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself. Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Legislation Changes and New HIPAA Regulations

Legislation Changes and New HIPAA Regulations | HIPAA Compliance for Medical Practices | Scoop.it

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

 

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

 

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

 

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

 

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

 

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

 

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

 

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

 

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

 

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

 

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

 

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.

 

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.

 

HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.

 

One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.

 

Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.

 

Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.

 

According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”

 

Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.

 

When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.

 

HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

8 Ways HIPAA Compliant Cloud Phone Systems Help Healthcare

8 Ways HIPAA Compliant Cloud Phone Systems Help Healthcare | HIPAA Compliance for Medical Practices | Scoop.it

If you work in a pharmacy, insurance company, hospital, or any kind of healthcare practice, you know about HIPAA. The Health Insurance Portability and Accountability Act of 1996obligates all healthcare providers or payers to safeguard the privacy and integrity of the personal health information, or PHI, of patients. You also know that it's about much more than securing digital data files: It's what obligates the pharmacy technician to ask customers in line to step back from the pickup counter; it's what requires hard copy patient records to be kept out of reach of unauthorized personnel.

 

Also under HIPAA's umbrella? Telephone usage.

As with oral or written information, compliance in digital voice and video is achieved through a combination of technology tools and proper practices. When you store it, (think voicemails, recorded calls) digital voice puts the "e" in ePHI (electronic personal health information) where HIPAA's more stringent security (as opposed to privacy) rules apply. Here, it's important not just to keep patient information from unauthorized persons; it's important to ensure such data is locked down or encrypted in such a way that it can't be accessed or changed.

It's no small chore to establish HIPAA compliance; that's why few hosted VoIP providers have performed the required policy and procedure improvements, documentation, employee training, ongoing monitoring, and physical security audits. Some, however—including OnSIP—have taken this step. By being certified to sign the Business Associate Agreements that HIPAA requires, providers assure customers that they take on responsibility for compliance as regards their voice and video platform. In the process, they extend to healthcare the considerable benefits of cloud communications that non-regulated industries have enjoyed for years.

 

Here are eight examples of how a healthcare practice can benefit from an HIPAA-compliant cloud phone system:

1. Share phone numbers, recordings, menus, and more across multiple locations.

Cloud communications can bring multiple sites under one shared administrative account. This not only saves money previously spent on individual phone lines, but also lets users dial any phone as a in-network extension, with call handling functions such as hold and transfer. OnSIP's network-wide encryption ensures that such calls cannot be tapped at any point on the IP network. (For a good example of how this works, see how Open Arms Treatment Center unified multiple office locations.)

2. Pool personnel across multiple locations to reduce calls on hold and provide foreign language assistance.

With system-wide call queuing, multi-site practices or insurance companies can pool office staff in every location to answer all incoming calls to a main number, reducing patient wait times. If they want to respond even faster, they can even recruit home-based workers. These remote staff can use personal computers or phones as extensions on the network. Organizations can also leverage, for example, the Spanish-speaking staffer in one location to handle Spanish-speaking callers to all other sites.

3. Provide staff with EHRs and patient information from PMS apps upon incoming calls.

Just as cloud phone systems are easily integrated with business CRM software to pop customer information on customer service agent screens, an integration with a PMS can pop patient info, saving office staff time in making appointments or handling insurance claims. Such integrations also makes it easier to dial out to patients, by enabling click-to-dial functionality on a computer. It further helps ensure that patients are reached through the numbers they requested to receive calls—as required by HIPAA—since it is easy to embed those clickable numbers prominently on their records.

4. Make and receive calls with professional caller ID from any phone or location.

Many cloud phone system providers offer softphone applications that run on a computer or smartphone. These apps allow users to access the phone system remotely, so doctors can answer work calls and view inbound caller ID information, no matter where they are. They can also easily transfer calls colleagues. When they need to make a work call, their outbound caller ID will display the office phone number, a favorite feature for on-call staff who may be away from the practice and carry only their personal phone.

5. See who's available across the organization to receive transferred calls.

With a clear view of coworkers' availability—available on some services—users can avoid transferring patients' calls to unattended extensions or voicemail, averting frustration. When staff are there to answer, patients can be transferred from lab results to follow-up scheduling or refill requests, accomplishing more with each call.

6. Video calling can extend physician reach to underserved areas and workplaces.

While patients are by now well acquainted with video calling, the Skype and Facetime appsthey use are not HIPAA compliant. If a HIPAA-certified cloud phone service includes video calling, practitioners can leverage this richer medium for better informed (and more billable) consultations. These calls can support technician-assisted telehealth visits and remote medical device readings, extending clinicians’ reach into underserved areas. Technician-assisted medical kiosks, equipped with video calling and devices such as digital stethoscopes and blood-pressure monitors, have been installed in workplaces to encourage employees to take better care of their health.

7. Video calling aids and encourages use of online patient portals.

Since voice and video sessions can be provided through a web browser, video chat can be embedded in an online patient portal. Being able to see the medical assistant, say, answering questions, may encourage more patients to sign up for these increasingly popular portals. By logging into a secure website, patients can access personal information as well as view lab results, send secure messages to doctors, track immunization records, and schedule appointments.

8. Easily retrieve voicemails and other call recordings attached to EHRs and PMRs.

Many hosted VoIP services offer call recording, which is gaining use in healthcare settingsfor a variety of reasons, from documenting remote visits, to training employees, to protection from spurious malpractice suits. As a digital file containing individually identifiable health info, these recordings require encryption in transit and at rest. With a HIPAA-certified cloud service and proper policy enforcement, these recordings can be securely shared among other members of the practice group, or attached to a patient record in a similarly secured practice management or EHR system.

 

At the end of the day, healthcare organizations must recognize that HIPAA compliance is only one part technology. Policy establishment and documentation, training, and enforcement make up the other parts. Oral, paper, and digital media, storage strategy and messaging must be thoroughly considered.

 

If you’re considering a cloud phone system for your office or practice, a good place to start is by reviewing HIPAA’s privacy and security rules. Since at least 11 states add more stringent patient protections to the ones imposed federally, their rules must be reviewed as well. For this, we recommend Health Information & the Law, a project of the George Washington University's Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation. If you provide medical care, you should consult a lawyer familiar with your state’s health privacy laws. Finally, you should also commission a third-party auditor to determine what parts you may be missing before implementing a cloud-based communications solution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Fax Sent to Wrong Number Results in HIPAA Violation

Fax Sent to Wrong Number Results in HIPAA Violation | HIPAA Compliance for Medical Practices | Scoop.it

One morning, the office manager got a call from one of the practice's patients, Mr. M, a 52-year-old, HIV-positive man who had been seeing Dr. G for a decade. Although he was happy with the treatment he had been receiving, Mr. M's company was promoting him and he was relocating to another town. He called to ask Dr. G to fax his medical records to his new urologist.

 

The office manager was juggling numerous tasks, but managed to send the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed off once a week which had spaces to fill in the “to” and “from” sections. She hurriedly filled them in and shot off the fax, one of several she had to do before checking in the next patient.

 

At the end of the day she told Dr. G that it had been done. He thought nothing of it until the following Monday when the office manager came into the back office to speak to him. She was pale and looked shaken, and the physician immediately asked if she was okay.

 

“It's Mr. M,” the office manager said. “He just called – absolutely furious. He says that we faxed his medical records to his employer rather than his new doctor, and that now his company is aware of his HIV status. He is extremely upset.”

 

“I'm so sorry,” the office manager said tearfully. “I was the one who sent that fax out. I must have accidentally grabbed the wrong number from his file. What should we do?” She looked at Dr. G for guidance.

 

Dr. G was holding his forehead, and trying to figure out how to remedy the situation. “The first thing we're going to do is to call Mr. M and apologize. Then we'll take it from there.”

 

The office manager and Dr. G called Mr. M and apologized profusely for the mix-up. Mr. M understood that it had not been done maliciously, but he was still not satisfied and reported the incident to the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).

 

An initial investigation indicated that the incident was not criminal and so it was not referred to the Department of Justice.

 

Rather, it was handled by the OCR. OCR officials appeared at Dr. G's office to look into the matter, and after a thorough investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office revise the fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.

 

Legal Background
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, protects personally identifiable health information of patients, and specifies to providers how such information may be used. HIPAA has been in effect for about a decade, and in that time, the HHS has received a total of almost 80,000 complaints.

 

Of those, more than 44,000 were dismissed, 19,000 were investigated and resolved with changes to privacy practice, and 9,000 were investigated but no violations were found. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement.

 

The top two compliance issues most frequently investigated are impermissible use and disclosure of protected health information and lack of safeguards for protected health information.

 

When a HIPAA complaint is filed with the HHS, the first determination made is whether there was a possible privacy violation and whether it was of a criminal nature. If it was determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution.

 

If it was determined that it was not a criminal issue (as in this case) the violation is investigated by the OCR. If it is determined that a HIPAA violation did, in fact, take place, the OCR can either obtain voluntary compliance, corrective action or some other voluntary agreement with the offender, or the OCR can issue a formal finding of violation and force the offender to change its practices.

 

In this particular case, the office manager and Dr. G recognized the mistake and immediately tried to take corrective action by apologizing to the patient. Dr. G's office also voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.

 

Protecting Yourself
This particular scenario was the result of a careless error. While a careless error can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status.

 

Confidential patient records must be treated with the greatest of care as they contain information of an extremely personal nature. Many HIPAA cases have involved the unintentional divulging of the HIV or AIDS status of a patient.

 

In a similar case, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. And in a case that took place in a hospital, a nurse and orderly lost their jobs for discussing a patient's HIV status within earshot of other patients.

 

A good rule of thumb is to treat a patient's confidential information as you would want yours to be treated, and then add a little extra security for good measure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.  Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Five Steps to HIPAA Compliance for a Doctor's Office

Five Steps to HIPAA Compliance for a Doctor's Office | HIPAA Compliance for Medical Practices | Scoop.it

Why do you, as a doctor, dentist or any other medical provider, need to comply with HIPAA? HIPAA, the Health Insurance Portability and Accountability Act, was enacted by the US government to not only protect patient confidentiality and privacy but also to ensure that doctors and other medical practices protect their data to prevent unauthorized persons and criminals from getting access to patients' confidential, private and financial information.

 

Patient health records called PHI (Protected Health Information) are a valuable commodity for criminals and sell for high prices in the black market.   Medical professionals must therefore strictly abide by HIPAA rules in order to avoid monetary fines, damage to their reputation, loss of their license(s), and even imprisonment. Over the last few years, we have been hearing of multiple instances of doctors, nurses and healthcare workers being jailed or fined hefty sums for HIPAA violations. The Office of Civil Rights (OCR) has concentrated on education and outreach and has also focused on enforcement of HIPAA law especially when a healthcare organization suffers a breach or is in violation of HIPAA law.

 

Professionals in the medical field have the moral and ethical responsibility to abide by laws that govern them and to provide the utmost care, which includes protecting the health information of each and every patient. This requires the ability to make logical decisions minute by minute, plus a great deal of patience, professionalism, and high standards related to HIPAA compliance to ensure protection of ALL health information… which includes the following steps:

 

1. Exercise Privacy in Your Office Everywhere

  • Give patients the privacy they deserve in your office whether it’s in the lobby or their patient room.
  • Minimize references to patients; it is best to call patients by first or last name only when directing them to their patient room.
  • Allow for a quiet, private space when talking with patients individually so only those intended for the information are the ones who hear it.
  • Never leave patient documents/files unattended or unsecured.
  • Always knock before entering patient rooms.
  • While accessing electronic PHI (ePHI), make sure that no unauthorized person can see the data on your screen or device.
  • Continuously enforce this culture of privacy with your staff.

2. Post Notice of Privacy Practices

  • Print notice of privacy practices and place it in a common and clearly visible area in your office, so that patients are openly provided with the privacy laws and information that strives to keep their care confidential.
  • If you have a website for your practice, then be sure to post a copy of the Notice of Privacy Practices prominently on your website.
  • Keep copies of the Notice of Privacy Practices available in case any of your patients asks for a copy.

3. Maintain and Follow Written Policies and Procedures

  • Develop a written policies and procedures manual for everyone in your practice to follow, to ensure patient privacy and security. The manual should also contain forms, notices, disclosures and step-by-step procedures for patient privacy notification and overall HIPAA compliance.
  • Your policies and procedures should be accessible to all staff.  Get attestations from your staff that they have read and will abide by your written policies and procedures.
  • Review your policies and procedures annually to ensure that they are still current, and review them with your staff every year after this review.
  • Review, and if needed update, your policies and procedures whenever there is a major change in your practice, for instance, a change in your EHR or key software used like anti-virus, data backup service or anything similar.

4. Train Your Team on HIPAA Do’s and Don’ts

  • Ensure that your employees go through HIPAA training every year.
  • Your employees should sign and acknowledge their awareness of these HIPAA policies and procedures.
  • Document training dates and employee names as proof that all your employees have been trained.
  • All healthcare providers - doctors, nurses, and all staff - should undergo annual HIPAA training.
  • Ensure that your Business Associates also undergo annual HIPAA training.

5. Conduct the Mandatory Annual HIPAA Security Risk Assessment

  • This mandatory HIPAA security risk assessment should be completed in order to analyze risks within the practice. Typically, a security risk assessment will check your office for compliance with the HIPAA Security Rule and the HIPAA Privacy Rule.   Your security risk assessment would involve reviewing in detail your technical safeguards, physical safeguards and administrative safeguards which are all key elements of the HIPAA Security Rule.
  • You can either do this annual assessment internally or hire a HIPAA expert to perform the assessment.
  • If any evaluated areas require remediation or follow-up, plans of action will have to be developed with timelines to address them.
  • Be sure to address your follow-up action items within a reasonable period of time.  About 3-4 months is often considered a reasonable time for most doctors' offices.  For instance, if you are using a straight-cut shredder, your report might ask you to procure a cross-cut shredder or shredding service to make your document disposal process more secure.
  • Know where your patients' Protected Health Information is - where it is stored on your EHR, where your data backups are kept, on which employees you or your employees store any PHI, where printed versions of PHI may be kept.
  • If you don't already have Business Associate Agreements with your vendors, you should arrange to get them immediately.  These are important legal documents where you can specify the roles and responsibilities of your vendors or business associates when it comes to handle your patients' protected health information that you are ultimately responsible for.
  • While disposing of anything that has PHI on it - in any format - use secure disposal techniques. Your security consultant can guide you on how to securely dispose of PHI on different media. 
  • Some of the action items may be very technical, for instance, it may recommend that you implement secure email or encrypt your storage devices, or that you may need to get a vulnerability assessment done. Your IT vendor or security vendor should be able to guide you in these situations.

 

Ultimately, medical facilities that do not stray from complying with current rules and laws that govern their care and practice will continue to have the best reputation and the best rapport with their patients. Enforcing the highest level of HIPAA compliance within your facility means that you understand the importance of protecting health information and providing continuity of care across the medical spectrum to provide the best care outcomes for each and every patient in every way possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Audits of Covered Entities and Business Associates

HIPAA Audits of Covered Entities and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.

 

These multi-million dollar penalties should be a warning for all covered entities or business associates.  Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.

 

The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.

 

Some frequently asked questions regarding audits include:

Who Will Be Audited?

 

Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.

 

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information.  A few examples may include:

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance.

 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI.  The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

 

How Will Auditees Be Selected?

OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates.  According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

 

What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button? 

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?  | HIPAA Compliance for Medical Practices | Scoop.it

Indeed, it is. According to the latest statics from the HHS Office of Civil Rights (OCR), 43% of all reported breaches are now caused by hacking or other related information network discrepancies—not to mention those breaches that are the result of impermissible disclosures made by members of the work force.

 

Let’s face it, breaches will happen, especially those related to information systems. When it comes to breaches, most network security experts say it is “when” and not “if.” Regardless of whether the breach is related to the network or some other means such as lost or stolen devices containing ePHI, what is important is having a process in place to deal with it. This includes the ability to conduct an internal investigation to determine the basics such as how the breach was caused, the type of breach, and how many individuals were affected.

 

The HIPAA Breach Notification Rule states that a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The exception is when the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

So, what is the best way to conduct the breach risk assessment to determine this probability? Start with some type of Breach Notification Risk Assessment Tool which is a decision tree-based process. This will help determine if the breach is reportable. Even if the determination is made that the breach is not reportable, documentation that this assessment was conducted must be maintained.

 

Having a comprehensive breach notification policy is critical. This will save a lot of headaches and layout a process to follow during the period of uncertainty associated with a breach. The policy should state the obvious such as who needs to be notified internally within the organization, who is responsible for conducting the assessment, and what specific notifications need to be made. What is even more important is the actual procedure to implement the policy. Procedures should cover how to undertake the investigation of the breach to cover the who, what, how, and when of the occurrence. If it is a reportable breach, this type of information is required for submitting “Notice of a Breach” to the Secretary of HHS (which technically is delegated to OCR.) When submitting the Notice, one should be prepared to answer a number of questions. This is why it is important that the internal investigation uncover as much information as possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is required for HIPAA Compliance?

What is required for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Lots of our visitors ask us “what is required for HIPAA compliance?” Because this is such an important question, we try to direct our visitors to the most trusted sources for HIPAA education. The most important aspect to remember is that a checklist based “solution” is my no means affective. What we do endorse is the ability to use a checklist to understand what aspect of HIPAA you are doing, and to recognize ones you may have looked over or need to address in further detail. We recommend taking a look at Compliancy Group who has two resources for your organization, whether you’re a Covered Entity or a Business Associate. First, we recommend reading and downloading their HIPAA compliance checklist. Or you can register for their HIPAA compliance checklist webinar!

 

Some of the key findings in the checklist highlight Business Associate Agreements, and also help point out the need for more than just a security risk assessment. As many are familiar with there is a need for HIPAA training, but we do appreciate how it points out the need for documentation of training and other attestations.

 

HIPAA Compliance Checklist: What You Need to Know

The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.

 

Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this HIPAA checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.

 

The HIPAA Compliance Checklist: The Privacy Rule

The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.

  • Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.
  • Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.
  • Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.
  • Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.
  • Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.
  • Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.
  • Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.

 

The HIPAA Compliance Checklist: The Security Rule

The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.

 

These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.

 

The HIPAA Security Rule Checklist: Administrative Safeguards

Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Security Management Process

 

  • Risk Analysis should be done to assess confidentiality of ePHI
  • Risk Management measures should be implemented to assess potential breaches in ePHI
  • Sanction Policies should be extended to employees who fail to comply with policies and procedures
  • Information System Activity Reviews should be in place so that system activity is regularly monitored

Standard 2. Assigned Security Responsibility

  • Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures

Standard 3. Workforce Security

  • Employees who are meant to deal with ePHI should undergo Authorization and Supervision
  • Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI
  • Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to

Standard 4. Information Access Management

  • Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI
  • Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI
  • Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified

Standard 5. Security Awareness and Training

  • Security Reminders should be regularly communicated
  • Protection from Malicious Software should be a priority to prevent ePHI from being compromised
  • Log-in Monitoring should be in place to detect any unauthorized access to ePHI
  • Password Management should be implemented for creating, changing, and protecting employees’ passwords

Standard 6. Security Incident Procedures

  • Breaches and their ramifications need to have documented Response and Reporting procedures

Standard 7. Contingency Plan

  • Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach
  • Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored
  • Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency
  • Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws
  • Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible

Standard 8. Evaluation

  • The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations

Standard 9. Business Associate Contracts and Other Arrangements

  • Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.

 

The HIPAA Security Rule Checklist: Physical Safeguards

Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Facility Access Controls

  • Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency
  • Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft
  • Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted
  • Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks

Standard 2. Workstation Use

  • Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed

Standard 3. Workstation Security

  • Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible

Standard 4. Device and Media Controls

  • Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed
  • Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use
  • Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked
  • Data Backup and Storage procedures should entail the creation of exact copies of ePHI

 

The HIPAA Security Rule Checklist: Technical Safeguards

Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.

Standard 1. Access Control

  • Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage
  • Procedures should be in place that determine Emergency Access protocols and authorization
  • Systems that store ePHI should be built with an Automatic Logoff function after inactivity
  • Encryption and Decryption methods should be built into systems that store ePHI

Standard 2. Audit Controls

  • Audit Controls must regularly monitor, record, and store system usage and ePHI access

Standard 3. Integrity

  • In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system

Standard 4. Person or Entity Authentication

  • Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI

Standard 5. Transmission Security

  • Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process
  • Any stored ePHI should be Encrypted
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

New HIPAA requirements target unsecured protected health information

New HIPAA requirements target unsecured protected health information | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act of 2009, signed by President Barack Obama in February, modified the Health Insurance Portability and Accountability Act (HIPAA). In particular, the Health Information Technology for Economic and Clinical Health Act (HITECH) sets forth new requirements relating to business associates and notification of patients regarding breaches of unsecured protected health information. The new regulation covers breaches that occur after September 23, 2009.

 

Before HITECH, a covered entity, that is, a physician's office, hospital, clinic, etc.—only was required to mitigate the effects of an unauthorized disclosure, which may or may not have included notifying the patient Now, except for certain limited exceptions, a covered entity is required to notify a patient of an unauthorized disclosure of unsecured protected health information if a significant risk of "financial, reputational, or other" harm exists.

 

It is important to note that notification is only required for unsecured protected health information, not secured protected health information. The Department of Health and Human Services (HHS) issued guidance on what constitutes "secured" protected health information in April, stating that information is deemed secured if rendered "unusable, unreadable, or indecipherable" to unauthorized individuals.

 

To determine whether a "significant risk of harm" exists, the covered entity should consider what information was disclosed, to whom the information was disclosed, and what steps have been taken to eliminate or reduce the risk to the individual.

 

Any notification to the patient must include a brief description of what happened and the type of protected health information disclosed, any steps the patient should take to protect himself or herself, what the covered entity is doing to investigate and mitigate the breach, and information concerning who to contact for additional information. Any required notification must occur without unreasonable delay but no more than 60 days after the breach is discovered or should have been discovered with the exercise of reasonable diligence.

 

Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. Also, specific rules exist regarding what to do if patients cannot be located. If a breach involves more than 500 patients—for instance, the loss of a laptop containing unsecured protected health information, then local media outlets must be notified. In addition, the HHS secretary must be notified—immediately for breaches involving more than 500 patients and annually for others.

 

With the new regulations, the knowledge of a covered entity's agents, including business associates, is imputed to the covered entity. Therefore, the clock for notifying patients could begin to run before the covered entity actually is aware of the disclosure. New agreements may be required, and education of business associates is important, to ensure that they are aware of these requirements and that they indemnify your practice if they fail to comply with the new rules and notify you promptly of any breach of protected health information.

 

The burden to disclose the breach or establish that no risk of harm to the patient exists is on the covered entity, even if the breach was the fault of one of its agents. A decision not to notify a patient because the covered entity does not believe that a significant risk of harm exists should be carefully investigated and documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance for Medical Practices

HIPAA Compliance for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance and Technology
HIPAA compliance is a vital part of any medical practice, especially as technology continues to advance. It is more important than ever that medical practices are safeguarding their protected patient health information (PHI). This is especially important for medical practices that work with partners to handle any of their sensitive information, such as billing or patient calls.

 

HIPAA Compliance Across the Care Continuum
New advances in technology allow the healthcare industry to be more efficient. Organizations can store and share data more easily through systems like electronic medical records (EMRs) software. Unfortunately, this created the side-effect of making patient data vulnerable in new ways.

 

Medical practices should be ready to look for HIPAA compliance anywhere their data goes. It’s important for medical practices to evaluate the risks to data exposure and take the appropriate documented steps to protect it. This includes vetting any partner exposed to or directly handling PHI.

 

What Information is Protected?
Under the Privacy Rule, all information that can be used to individually identify someone is protected. Protection occurs no matter what form the information takes. This information can include all historical data on a patient’s condition, what health care they’ve received, any billing information, and anything else that can reasonably be used to identify someone. This, of course, includes the expected information such as name, address, date of birth, etc.

 

The Privacy Rule leaves a little room for interpretation, so it’s best to protect all of the information you have on your patients to be safe.

 

Staying Adaptive and Vigilant
Technology continues to march forward with new innovations seemingly every day. It’s important to be able to understand how to utilize new security advances as well as the risks associated with new technology.

 

To stay HIPAA compliant you must always be vigilant to adapt and make changes in accordance with any new risks, whether from the technology you use or otherwise. This means it can be difficult to find a partner to trust for services such as an answering service, scheduling service, data storage, etc. Partners have to invest to become HIPAA compliant, with the right systems, training and more. Not every company is going to be able to, or willing to, make that investment.

 

What HIPAA Means for Your Partnerships
All authorized users of protected health information must be HIPAA compliant. This means that any of your partners that are authorized to handle your patient data must be compliant as well. They have to be just as vigilant as you and understand the intricacies of each regulation.

 

You need partners that don’t just offer HIPAA compliant services and products, but understand it and can help you proactively protect data and prevent fines. Establishing processes to vet your partners is key. Factors to account for in a partner can include but are not limited to: ensuring they provide a business-to-business agreement that outlines compliance measures, and that they place a concerted effort on mandatory, continuing education for all team members exposed to patient data, not just team members handling the data.

 

For additional information on HIPAA regulations HHS has provided a summary of the Security Rule.

 

HIPAA Compliance in Answering Services
An answering service is going to handle some of your patient’s most important data and be exposed to information such as their appointment types, personal/identifying information, diagnoses and more. They are also storing and conveying information to your practice, so it’s vital that they have the systems to meet the safety requirements and the ability to store data for the appropriate amount of time.

 

When looking for any partner, make sure that they have taken the steps required to be HIPAA compliant in advance so they don’t leave your patients’ data at risk and your organization accountable.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Sees Meritus Medical Center Stop Media Announcements

HIPAA Sees Meritus Medical Center Stop Media Announcements | HIPAA Compliance for Medical Practices | Scoop.it

Meritus Medical Center is one of a number of hospitals that has stopped issuing information about patient conditions to the media. The hospital announced on September 22 that this courtesy would be stopped.

 

The Health Insurance Portability and Accountability Act places certain restrictions on the disclosure of Protected Health Information to third parties, including the media. Just a few years ago, reporters would be able to call a healthcare provider to make an enquiry about the health status of a patient.

 

The hospital staff would provide general information about a particular patient’s condition if they were asked about a patient by name. The information disclosed would be restricted, so reporters would be advised for instance, that a patient was good, fair, stable or in critical condition.

 

Under HIPAA Rules this information may be disclosed to the media; however it is not mandatory for a hospital or healthcare provider to give out any information, except when it is in the public health interest to do so or if required by law enforcement officers to assist with an investigation.

 

HIPAA Rules See Patient Privacy Improved
Since the HIPAA Privacy Rule is now being enforced, and covered entities can face considerable fines for violations of the Rules covering the disclosure of PHI, many hospitals have now taken the decision to stop releasing any information on patients. They see it as a measure that will improve privacy and help avoid any inadvertent HIPAA violations.

 

In the case of Meritus Medical Center it was not only the risk of HIPAA violations, but the policy was changed to improve privacy standards for patients. Meritus Communications Manager, Nicole Jovel, said in a media announcement “In conversations with clinicians and administrators, we determined we needed to really increase the level of privacy we were providing.”

 

A Patient’s Status can Rapidly Change
There are also problems with such a simple classification of status and providing information when it is likely to change. Patients may slip from serious to critical, or may improve from one day to the next. It would not be fair to report a condition, if that information may be incorrect just a few hours later. In the case of newspapers which are printed the following day, they may contain inaccurate information before they even hit consumers’ doorsteps.

 

Patient Safety is a Major Consideration
Then there is the issue of confirming the identity of the caller, which in often impossible. The hospital treats numerous victims of domestic violence, and Jovel pointed out that the staff cannot be sure if they are giving information to an abusing partner.

The problem faced by Meritus is typical. There are too many variables to consider, and in a busy healthcare setting it is too easy for mistakes to be made. Ultimately those mistakes could prove detrimental to patients and the decision is made to stop issuing all reports to the media.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Comply with HIPAA

How to Comply with HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to protect patients' health information. Since its inception, health care providers have struggled with the need to protect patient privacy, share information, and keep paper work under control.


“When HIPAA came out, everyone was so afraid of penalties … but a lot of it was a reasonable recognition of patients' privacy that was already occurring in 99.9% of the cases,” said L. Lee Hamm, MD, Professor of Medicine and Executive Vice Dean at Tulane University School of Medicine in New Orleans.

 

“It added a lot of administrative burden and … it introduced a few things to make certain that people didn't inadvertently do something they shouldn't do.”

 

Electronic information


A part of HIPAA with which specialists in particular are concerned is sharing information among other health care providers. Entities covered under HIPAA are allowed to share private information with other health care professionals for the purposes of treatment, payment, and operations.

 

But Heinold said there are often delays during this process that can negatively impact quality of care and increase liability. This can occur when providers unnecessarily request patients' consent.

 

One of the most efficient ways to communicate among providers is via electronic communication. HIPAA was amended in 2009 to encompass the use of electronic health records with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

Fresenius staff is increasingly receiving communication about patients electronically through mediums such as text and instant messaging, Heinold said. While this can facilitate exchange of records, it also comes with inherent risks. Fresenius trains staff to provide the minimum necessary information when texting about patients.

 

Louis Liou, MD, Chief of Urology at Cambridge Health Alliance, said his organization's biggest HIPAA concerns relate to electronic information. To comply, Cambridge ensures that all physicians with smart phones have them password protected and that their e-mail is secure.

 

Cambridge physicians try to avoid texting patient information when possible, but if they must, they do not use any patient identifiers in the text messages.

 

“There are a lot of pitfalls that could potentially happen,” Dr. Liou said. “Thumb drives have given way to Cloud issues. I think potentially there can always be problems – no matter how failsafe you make the system, there is always human error.”

 

Dialysis settings


Another concern is the communal open-floor nature of some clinical settings, as is often the case in dialysis centers, which may make it difficult to protect patient privacy. Still, training staff and implementing privacy procedures can go a long way to meeting HIPAA requirements.

 

Rosemary Heinold, Director of Communications for Fresenius Medical Care North America, a dialysis services provider and manufacturer of peritoneal and hemodialysis machines and equipment, said their organization has a handful of practices that help them comply with HIPAA.

 

Although patients are examined on the dialysis floor, Fresenius clinics also offer private examination rooms. Patients are never required to be examined in an open setting and may request a private room for physician consultations.

 

Like most providers, Fresenius staff gives patients a notice of privacy rights, which individuals must sign. They also post a notice of their privacy practices at all treatment sites.

 

Fresenius providers also work by the “minimum necessary” rule. The staff only shares the least amount of information necessary with patients on the clinic floor, particularly when others are within earshot.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.