Posts Tagged HIPAA

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

Think Your Practice Management Software Makes You HIPAA Compliant?

Think Your Practice Management Software Makes You HIPAA Compliant?

Complying with HIPAA security standards is a complex matter that demands a comprehensive solution. As a busy healthcare provider, it’s easy and convenient to trust that your practice management software satisfies the necessary HIPAA requirements to keep your electronic medical records safe. But the truth is, in most cases, it doesn’t.

A False Sense of Security

It is a common misnomer that electronic health record (EHR) systems make your practice HIPAA compliant. Companies claim they provide tools that support compliance for technical safeguards. A good thing, but technical safeguards are only one component needed to protect electronic public health information. The HIPAA Security Rule requires two other components: administrative safeguards and physical safeguards. Administrative safeguards include policies and procedures that HIPAA requires and critically important business associate agreements. Physical safeguards protect your data from breaches and unauthorized access. The platform you use to manage your practice might tout that their cloud-based system provides encryption and protection from ransomware. Great, but the question is: do they have all of the crucial aspects needed for HIPAA compliance? Read this next sentence twice. Using practice management software that purports to be HIPAA compliant does not make your practice compliant.

Unfortunately, when it comes to HIPAA compliance, a false sense of security can be dangerous. The violation fines for not following the guidelines enforced by the Department of Health and Human Services’ Office for Civil Rights are costly and can irreparably damage your practice’s reputation. In 2018 alone, HIPAA fines topped $28 million. By not properly protecting your electronic health records, you increase the likelihood of a cyberattack. Being hacked might strike you as a random, unlikely occurrence, but statistics tell a different story. According to a 2016 Lloyd’s Report, 92% of businesses experienced a data breach within a five-year period.

A Complete HIPAA Solution

PCIHIPAA is an industry leader in HIPAA compliance and data breach protection. We alleviate the angst and uncertainties associated with HIPAA compliancy with a powerful tool called OfficeSafe. Here’s how our software solution fully protects HIPAA electronic medical records:

  • Comprehensive Risk Assessment – A risk assessment is an annual audit required under the HIPAA Security Rule. Our audit of your practice’s protected health information produces a 22-page report, identifying the potential risks and vulnerabilities to your practice.
  • Easy Creation of Policies and Procedures – HIPAA regulatory standards mandate that covered entities and business associates develop policies and procedures. OfficeSafe makes regularly updating your policies and procedures easy, ensuring that your staff is informed on important issues such as governing access to electronic public health information and identifying malicious software attacks.
  • Online Employee Training – Improperly trained employees can lead to reckless handling of electronic public health information and costly HIPAA fines. We take this time-consuming task off of your plate and ensure that your staff understands exactly what is required by HIPAA law.
  • Crucial Business Associate Agreements – Every vendor and individual you share protected health information with must have a business associate agreement. OfficeSafe makes creating and securely executing these agreements simple and convenient.
  • $500,000 Cyber Insurance Coverage – Our guaranteed expense reimbursement policy for HIPAA violations covers a range of first and third party exposures, including both physical and non-physical risks. In the event of a HIPAA fine, data breach, or cyberattack, we’ll protect your practice from lost revenue and prevent an interruption to your business.
  • Email Encryption and Encrypted Cloud-Based Data Backup – At PCIHIPAA, keeping your data secure is our top priority. Our data backup solution is HIPAA compliant with 256-bit encryption and SQL database restoration capabilities. It enables you to distribute confidential protected health information without worry of ransomware or an unexpected incident.
  • Incident Response Management – Do you have a plan in place in the event of a hurricane, fire, or ransomware attack? Proper preparation—including a data backup plan, a data restoration plan, and an emergency mode operations plan—is a necessity. With OfficeSafe, once you report an incident we’ll work with your IT provider to mitigate the damage and get your business back on track.
  • PCI Certification – PCI is part of our company name for a good reason. As part of our compliance program, we help you complete the Payment Card Industry (PCI) requirements. Our PCI Compliance program also includes quarterly scans of your network.

The dark web is getting smarter. The risk of not fully and properly securing and maintain your patient’s medical records is a mistake your business can’t afford to make. The good news is peace of mind for your practice and your patients is a click away. Take a complimentary HIPAA Assessment right now, and be on your way toward total HIPAA compliance.

Posted in: HIPAA

Leave a Comment (0) →

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at Samarria@dunsongroup.com.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Lights, Camera…HIPAA

Lights, Camera…HIPAA

In the age of social media and reality TV, some people document their surroundings and behaviors regularly. Many of us think nothing of pulling out our cellphones to capture moments or otherwise memorializing our lives. But HIPAA-covered entities[1] must be proactive about the use of photographic and recording devices to ensure that they are in compliance with federal regulations.

Photography or filming that is not treatment-related should be prohibited in health care facilities, especially treatment areas, unless there is prior written authorization from the patient(s). If an entity determines that it is necessary to photograph or record on-site, they must ensure that they are taking appropriate steps to ensure that their process is HIPAA compliant. That is why it is so important for health care entities to have adequate, accessible and updated policies and procedures, along with ongoing training to ensure that their workforce is aware of the conditions and restrictions that apply in the health care setting.

This may be best illustrated by a recent $999,000 civil monetary settlement that the Department of Health and Human Services, Office of Civil Rights (OCR) entered into with three health care entities collectively. Those entities included: Boston Medical Center (BMC), a Disproportionate Share Hospital; Brigham and Women’s Hospital (BWH), a major teaching hospital of Harvard Medical School; and Massachusetts General Hospital (MGH), a not-for-profit academic medical center. These incidents stemmed from the filming of an ABC television documentary series. In each instance, the entity allowed ABC network to film on-site without first obtaining HIPAA authorizations from patients. The filming crew had access to protected health information (PHI) as they performed their duties.

Each of the three health care entities was assessed civil monetary penalties based on their non-compliant behavior. In the cases of BWH and MGH, the entities took steps to require the filming crew to view the HIPAA training that they require of their workforce members and believed that to be sufficient. While viewing a HIPAA training video may have educated the filming crew on some basic HIPAA requirements, since the filming crew was not considered a part of the health care entity’s workforce, the regulations specifically require patient consent prior to PHI being viewed or accessed by non-workforce members.

In addition to the monetary assessment, each entity was required to enter into a corrective action plan which required them to develop, revise and maintain appropriate policies and procedures relating to photography, film and media. They were also required to provide additional training so that workforce members were fully aware of the updated standards.

Training Videos and Public Relations Materials

There may be instances in which health care entities desire to produce training videos or develop public relations materials. When this occurs, the entity should enter into a Business Associate Agreement with the individual or company that is being hired to produce or develop the product. The Business Associate Agreement would require the individual or company being hired to comply with HIPAA standards and only utilize PHI for the purposes outlined in the agreement. Additionally, if specific patients are being interviewed or having their images captured, the entity should attain a written authorization from those patients before any material, images, or PHI regarding that patient can be disseminated.

It is extremely important that health care providers carefully consider their policies on photography, filming and media. It is also necessary to ensure that those policies and procedures are communicated to their workforce to ensure compliance. Should your entity have questions about creating or revising policies and procedures in accordance with HIPAA regulations, they should contact a health care compliance professional for guidance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

[1] HIPAA covered entities include health care providers, health plans and health care clearinghouses who transmit any health information in electronic form in connection with a covered transaction. 45 CFR 160.103.

Posted in: HIPAA

Leave a Comment (0) →

10 Common HIPAA Violations and How to Avoid Them

10 Common HIPAA Violations and How to Avoid Them

For health care providers, arguably your most valuable asset is your patient information. Patients assume you will protect their private information.  Unfortunately, many practices are not implementing even the basic safeguards required under the Health Insurance Portability and Accountability Act (HIPAA).

In fact, Consumer Reports recently warned their subscribers (your patients) they need to protect themselves from improper handling of protected health information (PHI) by hospitals, doctors and insurance companies. HIPAA Compliance should not be a one-time, “set-it-and-forget-it” process. Instead, protecting the privacy and security of patient information should be a culture lived and implemented by the organizational leaders and followed by their employees. Risks are no longer insignificant. Fines range from $10,000 per incident up to $1.5 million per year. The reputation of the practice can be crippled if a data breach occurs and proper protocols aren’t followed.

10 Common HIPAA Violations, and How to Avoid Them 

  1. No Updated Policies and Procedures:  HIPAA requires documentation to show you understand what is required by law and your practice has the policies and procedures in place. It’s a best practice to purchase a set of policies and review them with your team annually. You can also subscribe to a service like OfficeSafe where policies are online, employees can log in anytime, and updates are automatic.
  2. No Risk Assessment on File:  You must perform an adequate risk assessment to determine your vulnerabilities. HIPAA does not define “how” an assessment needs to be performed, it only states you need to document your risk level, key vulnerabilities and plans to fix them. Having a risk assessment on file and showing you are making progress implementing key safeguards required under HIPAA will materially mitigate your risks.
  3. Lack of Employee Training Documentation:  Employees are the first line of defense for your practice. Employees also make human errors. Making training a priority is key to creating a culture of compliance for your practice.  Employees can also watch for phishing scams, other employee behaviors, help identify privacy issues and more.
  4. Loss of a Device:  Losing a laptop or mobile device that stores PHI is a HIPAA violation unless you can prove the data stored was encrypted and/or the device was secure. To mitigate risks, don’t store PHI on these devices and setup controls to wipe data from mobile phones if they are used inside your practice.
  5. No Emergency or Incident Response Planning:  HIPAA law now requires that every practice document an Emergency and Incident Response Plan. Also, with all of the hurricane’s, fires, ransomware attacks, and other incidents, it makes sense to document your plans in case an emergency does occur. HIPAA requires: 1) a Data Backup Plan, 2) a Data Restoration Plan and 3) an Emergency Mode Operations Plan.
  6. A Ransomware Attack:   Your patient information is valuable to a hacker. If obtained, they sell it on the Dark Web. Phishing scams lead to ransomware attacks and not only can this harm your practice, but a ransomware attack is also considered a data breach under HIPAA. Your patients may have to be informed unless a forensic investigation can prove data was not accessed. For more information on ways to prevent a ransomware attack, you can learn more at Top 10 Ways to Fight Ransomware
  7. A Credit Card Data Breach:  Every practice handles patient credit card information. A Payment Card Industry (PCI) violation can also end up being a reportable breach under HIPAA. Securing and properly handling credit card data is imperative. Don’t store any credit card information in QuickBooks, Excel or any other software. Also, make sure you are PCI certified and using EMV devices to limit chargeback liabilities.
  8. Violations Under the HIPAA Privacy Rule:  Too many health care professionals do not have a clear understanding of The HIPAA Privacy Rule. Not only does PHI need to be secure, but it also needs to be kept private. Practices need to have an updated Notice of Privacy Practices shared with patients and posted in the practice. Also, employees need to understand under what circumstances PHI can and cannot be shared. It’s important (and the law) to designate a HIPAA Privacy and Security Officer for the practice. They can learn the basics and quickly mitigate behaviors that may be leading to unnecessary risks.
  9. No Encryption Safeguards:  HIPAA does not state you have to use encrypted solutions, but it’s a good idea. Your PHI should be backed up using an encrypted solution.  It also should be backed up in the cloud with multiple days of backup sets. Also, when e-mailing PHI, you should be using an e-mail encryption service. Encryption mitigates human e-mail error and also protects the unauthorized access of data.
  10. Lack of Compliance Documentation and Execution of Business Associate Agreements:  We often see practices struggling to execute their Business Associate Agreements, Employee and Patient Acknowledgments, Authorizations, and overall HIPAA compliance. Compliance isn’t a he-said, she-said proof exercise. You must have updated policies, procedures, and proof you are implementing the proper HIPAA safeguards.

 

OfficeSafe was designed to ease the administrative burdens and uncertainties associated with HIPAA compliance and financially protect you in case of a ransomware attack, HIPAA audit, or patient data breach.

Posted in: HIPAA

Leave a Comment (0) →

Does Your Workforce Know Its Privacy/Security Officials? They Better.

Does Your Workforce Know Its Privacy/Security Officials? They Better.

As a health care compliance attorney for more than 12 years, I may not have seen it all, but I’ve definitely seen a lot. An unfortunate, yet common, pattern is a lack of compliance with some of the most basic state and federal regulations. There are some documents and practices that are required to be compliant with the Health Insurance Portability and Accountability Act. These are considered to be a part of the entity’s basic HIPAA infrastructure.  When entities fail to provide evidence of these basic elements of a HIPAA-compliant program, one must ask themselves if that entity is unable or unwilling to follow the regulations.

One of the most common issues is an entity’s failure to show evidence of their HIPAA Privacy and Security Officer designations. Health care providers are specifically required to designate Privacy and Security Officials. These individuals are responsible for developing HIPAA policies and procedures for the entity and ensuring adherence to the regulations.[1]  These designations must be in writing.[2]

Privacy Officer Designee

The Privacy Officer is responsible for developing and implementing HIPAA policies and procedures. These responsibilities include ensuring that the entity is compliant with the HIPAA Privacy Rule and Breach Notification Rule, as well as other applicable state and local laws. Their duties may include, but are not limited to, the following:

  1. Receiving and appropriately addressing complaints relating to protected health information (PHI) and electronic protected health information (ePHI);
  2. Receiving and processing requests made in accordance with Patient’s Rights and the Notice of Privacy Practices;
  3. Ensuring that the workforce is receiving adequate HIPAA training annually and refresher training, when applicable;
  4. Recommending disciplinary action for workforce members who violate HIPAA regulations;
  5. Oversight of Business Associate relationships and Business Associate Agreements; and
  6. Ensuring that HIPAA-related documents are maintained by the entity for a period of at least six (6) years.

Security Officer Designee

The Security Officer is responsible for ensuring that the entity is compliant with the HIPAA Security Rule and the development and implementation of HIPAA policies and procedures that relate specifically to ePHI. Their duties include, but are not limited to:

  1. Ensuring the confidentiality, availability and integrity of ePHI;
  2. Developing, implementing and enforcing information security directives mandated by HIPAA regulations;
  3. Ensuring that an appropriate and adequate Risk Analysis is performed, at least annually;
  4. Developing or updating the entity’s Business Continuity Plan;
  5. Ensuring the adequacy of the entity’s Disaster Recovery and Incident Response plans; and
  6. Ensuring that HIPAA-related documents are maintained by the entity for a period of at least six (6) years.

It is also worth noting that the Alabama Breach Notification Act of 2018 also requires the designation of a Security Official. The statute specifically requires that covered entities designate “an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security.”[3]

Workforce Members Should Readily Identify Privacy and Security Officials

It is extremely important that workforce members be able to readily identify the Privacy and Security Officials for their entity. It is necessary for them to know whom they should consult for several reasons. First, if they have questions regarding the HIPAA policies and procedures, they should know who they should turn to in order to gain clarity. Second, as HIPAA-related complaints arise, it is necessary for them to identify individuals within their entity who can resolve those complaints in a manner that is both helpful to the complainant and in accordance with the regulations. Often, if matters can be resolved by the Privacy or Security Officers then patients/clients won’t find it necessary to contact the Department of Health and Human Services (HHS) to address their issue(s). Third, when workforce members know with whom to discuss HIPAA-related matters, it provides the opportunity for Privacy and Security Officials to gain a broader understanding of the HIPAA Privacy and Security issues within their organization.  Instead of workforce members attempting to resolve issues based on their limited understanding of the regulations, they instead have a point of contact who can appropriately address their issues and ensure that HIPAA-related matters are addressed with an appropriate level of consistency within the organization.

Privacy and Security Officers Often Wear Multiple Hats

Health care providers must designate Privacy and Security Officers regardless of the size of the organization. Larger organizations normally have Privacy and Security Officials who serve in those capacities full-time. Smaller entities, more often than not, assign these responsibilities to individuals who have other job functions. Examples include an office manager, information technology professional or other designee the entity determines can adequately handle the responsibilities.

It is important that all health care entities ensure that they have not simply considered personnel to fill the role of the Privacy and Security Officials within their organization, but that those designations are in writing and communicated to their workforce. These individuals should receive adequate and on-going training to ensure that they are abreast of any changes to state or federal regulations that may impact their entity.

For additional information on Privacy and Security Officer Designations or for assistance with drafting job descriptions for these individuals, health care providers should consult a health care compliance professional.

[1] §164.530 (a)(1)

[2] §164.530 (a)(2)

[3] SB318 Section 3(c)(1)

Article by Samarria Dunson of The Dunson Group. The Dunson Group is a partner of the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

What’s the Biggest Threat to Your Medical Practice? Your Staff!

What’s the Biggest Threat to Your Medical Practice? Your Staff!

Many of us are aware of recent attacks impacting health care entities large and small. As ransomware and other cybersecurity-related crimes are being reported daily, there is a tremendous focus on the “dark web” and how to decrease the likelihood your entity will be impacted by hackers. But as we put systems in place to deal with those security issues, we must not forget about the threat of other malicious actors. These individuals are not strangers who only interact with our computer systems remotely. This threat is much closer. We’re referring to your staff members who may inappropriately access and utilize patient data for personal gain.

Employers generally believe they hire the best candidates. In most instances that is correct. After combing over résumés and doing countless interviews, it is determined the selected individual is a person you can trust and respect. As these individuals prove themselves to be competent and dependable, many of us will place a high level of confidence not only in that person’s ability to perform the job, but also in their character.

As time passes we learn a lot about our colleagues. We learn about each other’s families, interests and life goals. We become invested in our co-workers, and we share in moments of success and disappointment. These events endear us to one another and become the fabric of our working relationships. However, just as this bonding is reflective of our human desire to find commonalities, these relationships can also blind us to a very serious threat. This threat is the impact that these very individuals can have on our entities if they intentionally or inadvertently compromise a patient’s protected health information (PHI). We must constantly remind ourselves good people can do bad things depending on that individual’s circumstances at the time they make a compromising decision.

“Insider threat” is a term used to describe the threat to an entity’s systems or data that originates from within the entity. These “insiders” can be current or former employees, contractors, or business associates who have or has had authorized access to an entity’s systems or data and misuse that access.

Red Flag Behavioral Indicators

When entities endure a significant data breach, they are often in disbelief the incident occurred. Then as they begin the investigation phase, they realize there were behaviors exhibited by the bad actor that should have drawn suspicion.

Here are some behaviors entities should be watchful of:1

  • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules which may result in them being able to carry out their illicit activities privately.
  • Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Interest in matters outside the scope of their duties, particularly where patient data may be stored and how that information may be accessed.
  • Unexplained affluence; buys things they cannot afford on their household income.
  • Without need or authorization, takes proprietary or other material like patient information home, via paper records, thumb drives or by emailing information to their personal email accounts.
  • Overwhelmed by life crisis or career disappointments.
  • Paranoia about being investigated; believes there are listening devices or cameras in their homes or workplaces.
  • Disregarding computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

How to Reduce Your Risk

  • Appropriately manage your employees. Entities should pay particular attention to individuals who are disgruntled or who may be undergoing financial hardship. Also, be watchful of employees who show up to work very early or leave very late with no work product to show for the extra time they’ve worked. Additionally, background checks can be very telling. This is especially true for employees whose records identify financial issues like issuing bad checks.
  • Be mindful of security access privilege designations. Only provide employees with the security access privileges they need to perform their job functions. The less access they have to patient data that does not involve them, the less likely they will be able to create large data breaches.
  • Proactively audit user access. Perform audits of user actions to determine who has been remoting into your entity’s computer network or who has been accessing your systems after normal business hours. Review reports of failed log-in attempts to determine whether employees are trying to log into systems they have not been officially granted access to view.
  • Develop and adhere to effective termination procedures. Once you become aware an employee will need to be terminated, make plans to disable their physical and system access such that the terminated employee does not have the opportunity to negatively impact your entity or systems. During the exit interview, make it clear to the terminated employee your entity will not tolerate inappropriate data access and will seek criminal prosecution if it discovers any employees are engaging in such activity.
  • Effective training programs. Ensure your employees are aware of your entity’s privacy and security policies and procedures. Reiterate these principals in training and inform them of the consequences of not adhering to these requirements. Additionally, train employees to be particularly watchful of co-workers who exhibit the behavioral indicators described above. Ensure they know the warning signs and to whom to report their concerns.
  • All insiders are not necessarily in your building. Be mindful that Business Associates and contractors may also have access to your systems
    and data. The activities of these users should be monitored as well. Individuals within those entities should be signing confidentiality agreements at a minimum and Business Associate Agreements, when applicable.

 

Your entity’s designated Security Officer can play a key role in monitoring the electronic behavior of staff members, Business Associates and contractors. Ensure this individual is knowledgeable about your entity’s HIPAA security policies and procedures, and they are following up on audits that identify behaviors that may be placing your patient data at risk. If your entity does not have updated HIPAA security policies and procedures, consider hiring a health care compliance professional to ensure regulatory compliance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.

References
1 “The Insider Threat”, U.S. Department of Justice Federal Bureau of Investigation; https://www.fbi.gov/file-repository/insider_threat_brochure.pdf
2 “Insider Threats: What every government agency should know and do,” Deloitte Dbriefs, March 2016.

Posted in: HIPAA

Leave a Comment (0) →

Do You Record Patient Phone Calls? Here’s What You Need to Know.

Do You Record Patient Phone Calls? Here’s What You Need to Know.

A physician practice recently inquired about implementing a policy pursuant to which the practice would begin recording phone calls to and from patients and referring providers. The practice of recording phone calls is not uncommon. For example, every time you call a customer service number you are informed that the call “may be recorded for quality purposes.” However, there are some legal issues to consider before implementing a policy pursuant to which you record phone calls with patients.

First, from a HIPAA perspective, any entity you contract with to record the calls with patients and to store the recordings will need to sign a Business Associate Agreement, in which such entity agrees to protect the patient information it receives. Failing to obtain a Business Associate Agreement in this instance would be a violation of HIPAA.

Second, there is the question of whether you need to inform the patient the call is being recorded. Alabama is considered a “one-party consent” state, meaning you only need the consent of one party in order to record a call — and that one party can be the party making the recording. Thus, as long as the physician practice is aware of the recording, a patient located in Alabama does not have to be informed the call is being recorded. However, things get more tricky when you are making and/or receiving calls from patients located outside of Alabama.

Other states (including the neighboring state of Florida) are “two-party consent” states, meaning you need the consent of both parties in order to make the recording. If a call is made from a physician practice in Alabama, a “one-party consent” state, to a patient located in Florida, a “two-party consent” state, the general legal consensus is that the physician practice must comply with the more stringent “two-party consent” requirements. Thus, under this scenario, a disclosure would need to be made to the patient located in Florida that the call is being recorded.

Finally, the issue of malpractice liability should be considered. While a phone recording can be helpful in the event of a negative outcome (to prove what information was provided to the patient), it, just like any other documentation, can also be harmful (to prove what information was not provided to the patient). Thus, physician practices considering recording more than routine scheduling calls need to give some thought as to whether such recordings will be helpful or harmful if an issue were to arise. Practices may also want to reach out to their malpractice carriers to see if they have any opinion or policy regarding recording phone calls with patients.

Kelli Fleming is a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Looking Forward to Retirement? Solo Practitioners Can Still be HIPAA Compliant as You Close the Doors

Looking Forward to Retirement? Solo Practitioners Can Still be HIPAA Compliant as You Close the Doors

Maybe you’ve been planning for retirement for some time or perhaps you’ve had a bad month and have decided that you’re better suited for life on the lake. In either circumstance, when you get ready to leave your practice and wind down your affairs, don’t forget that you still have responsibilities pursuant to state and federal laws and regulations and those obligations don’t cease just because you won’t be returning to the office.

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) require providers ensure the confidentiality, integrity and availability of their patient’s protected health information (PHI). Thus, providers are tasked with preventing unauthorized access to PHI, ensuring that their records are not inappropriately altered or destroyed, and assuring that the records are available to the patient or other authorized individuals or entities.

Patient Notification

Pursuant to Alabama law, “When a physician retires, terminates employment or otherwise leaves a medical practice, he or she is responsible for ensuring that active patients receive reasonable notification and are given the opportunity to arrange for the transfer of their medical records.”[1] The law does not specifically define how much time is considered “reasonable,” thus; the type of practice or scope of services provided should be considered in determining reasonable notice. In all instances, notification should be provided in a manner that allows the patient adequate time to act upon the notification and either obtain a copy of their records or find a new physician.

Patient notification should be provided via U.S. mail and should include the following:

  • The date that the practice intends to close;
  • How the individual may obtain a copy of their medical record or have their records transferred to another physician; and
  • Contact information for the new physician if the patient records are being transferred to another physician without the patient’s consent. (Note: The retiring physician should enter into a Business Associate Agreement (BAA) with the purchasing physician to permit the purchasing physician to obtain and maintain the aforementioned patient records. By virtue of that agreement, the purchasing physician is acting as a custodian of records and is required to ensure the confidentiality, integrity and availability of those patient records regardless of whether the patient decides to utilize the purchasing physician for their treatment services. Pursuant to HIPAA, the purchasing physician cannot utilize those patient records unless and until the patient consents.) Alternatively, if the records are not being transferred to another physician, the notice should inform the patient of where the records will be located after closure, how long they will be retained, and contact information to make record requests.

Tip #1: While not required, it is suggested that patient notification be sent via certified mail, return receipt requested to the patient’s last known address. This allows the retiring physician to place those receipts in the patient files to demonstrate the attempt to notify the patient of the retirement or closure.

Tip #2: Don’t forget about the patient’s right to confidential or alternative communications when performing the mail-out.  If your practice has agreed to a reasonable request of a patient to receive communications by alternative means, you must ensure that you have considered that request. For example, if they have requested that you use a particular P.O. box, instead of their home address.

Malpractice Carrier Notification

At the top of your list for entities to notify should include your medical malpractice carrier. Your medical malpractice carrier can give you a tremendous amount of guidance and many offer a checklist that you can use to ensure that you are covering all of the steps that will keep you eligible for coverage at the time of closure and beyond. Be sure to ask them about any extended malpractice coverage that can be considered for any allegations of medical malpractice that may arise after closure.

Sell v. Closure

When a practice is sold to another physician, the aforementioned BAA between the retiring physician and the purchasing physician may be utilized for the appropriate maintenance and availability of records. But when a practice closes, it is often necessary for the retiring physician to contract with an outside entity to maintain the records and ensure their future availability in accordance with HIPAA and state laws. Finding the right record management company is essential in this circumstance, in addition to entering into the required BAA.

Whether you enter into a BAA with a purchasing physician or record management company, ensure that the agreement includes provisions relating to record retention and disposal applicable to the types of records your practice utilizes. For example, there are special rules for mental health, substance abuse, and notifiable disease records. As the BAA is being drafted, attorneys and compliance experts should be consulted to ensure that appropriate provisions are included.

Closing Won’t Allow You to Escape HIPAA Fines

On Feb. 13, 2018, the Department of Health and Human Services announced a settlement with Filefax, Inc. for $100,000.  It was determined that Filefax was a medical record storage company which inappropriately handled the medical records of approximately 2,150 patients by not ensuring that the records were secure.  “The careless handling of PHI is never acceptable,” said OCR Director Roger Severino. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.” Though Filefax closed its business, HHS was able to secure settlement proceeds via an appointed receiver which “liquidated its assets for distribution to creditors and others.”

Whether you are currently facing the prospect of retirement or whether it is still on the horizon, it’s never too early to speak with a health care compliance professional about the appropriate steps to take to ensure compliance with state and federal laws.

[1] Alabama Board of Medical Examiners Rule 540-X-9-.10(3)

 

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →
Page 1 of 4 1234