HIPAA Archives - Medical Association of the State of Alabama

Archive for HIPAA

Tracking A Patient’s Every Move: HIPAA Compliance Risk

Posted by Mallory Camerio on April 17, 2024

By: Kelli Fleming with Burr & Forman LLP

The Health and Human Services Office for Civil Rights (”OCR”) recently published a guidance bulletin addressing the use of online tracking technologies by entities covered by HIPAA, including but not limited physician practices.

A tracking technology is used to collect information about how online users interact with websites or mobile applications. For example, have you ever wondered why after you search for a product on google, it automatically appears as an ad in your social media for the next few days? That is the result of a form of tracking technology.

When used by healthcare providers, the information that is collected by way of a tracking technology may be considered protected health information (“PHI”) covered by HIPAA. If a healthcare provider utilizes a tracking technology vendor to gather and analyze information, including information about patients, the provider must ensure that the release of the information to the vendor is compliant with HIPAA and is not an impermissible use or disclosure.

In the recent bulletin, OCR clarified that individually identifiable information “collected on a regulated entity’s website or mobile app generally is PHI, even if the individual does not have an existing relationship with the regulated entity and even if the [information] does not include specific treatment or billing information like dates and types of healthcare services.”

Covered entities that engage a user-authenticated webpage (i.e., a website that requires a log-in) should only allow tracking technologies to use and disclose information in compliance with HIPAA, including in a secure manner. In order to comply with HIPAA, the covered entity must either enter in a Business Associate Agreement (“BAA”) with the vendor, or obtain patient authorization for such use and/or disclosure. Disclosing PHI to tracking technology vendors based solely on informing individuals of such use in the website’s privacy policy or terms of use is not sufficient, nor is merely accepting or rejecting cookie use. There must be either a valid, HIPAA compliant patient authorization or a BAA, and the use and/or disclosure must be permissible under HIPAA. For example, a disclosure to a tracking vendor for marketing purposes, without an authorization, would be impermissible.

Covered entities using a website that is not user-authenticated (i.e., does not require a log-in) need to determine if any of the information obtained by the tracking vendor would be individually identifiable and constitute PHI. If so, a BAA and compliance with HIPAA would be required. However, the determination as to whether or not PHI is being collected by the vendor is not always clear and may not necessarily be known by the provider. OCR provides the example that if a student is writing a term paper regarding oncology services and visits a hospital’s oncology services webpage, information tracked in connection with that website visit would not be considered PHI. However, if a patient were looking at the same page regarding oncology services to see a second opinion on treatment options for a brain tumor, information tracked in connection with that website visit would be considered PHI. It would be difficult, if not impossible, for providers to determine the purpose of the visit.

Thus, based on the recent OCR guidance, if a covered entity is utilizing tracking technologies on its websites, in my opinion, the provider should always act as if PHI is being tracked and enter into a BAA with the vendor and ensure the use/disclosure is appropriate under HIPAA.

Kelli Fleming is a Partner at Burr & Forman LLP practicing exclusively in the Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Tags: HIPAA, social media, technology, tracking

Posted in: HIPAA, Legal Watch, Technology

Leave a Comment (0) →

Training, Training, Training—The First Line of Defense When it Comes to HIPAA Compliance

Posted by Mallory Camerio on August 3, 2021

By: Kelli Carpenter Fleming with Burr Forman

When it comes to HIPAA compliance efforts, the first line of defense in ensuring that protected health information is secured appropriately and compliantly is training your practice’s employees. More often than not, when an inappropriate use or disclosure of protected health information occurs, it is because an employee made a mistake. For example, the employee may have faxed the information to the wrong patient, or released records before confirming that an authorization was on file, or clicked a link in an e-mail opening the door for bad actors to gain access to the system. One way to prevent these mistakes is to train your employees on HIPAA compliance efforts, as well as easy, practical steps they can take to prevent such mistakes. However, a lot of physician practices, especially smaller ones, do not routinely train their employees on HIPAA compliance efforts.

HIPAA training should not occur in a silo. While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend that clients conduct routine, formal HIPAA training at least once a year. I also recommend implementing less formal monthly HIPAA reminders to ensure that HIPAA remains on the forefront of everyone’s minds. In addition, if an unauthorized use or disclosure occurs, the practice should conduct training related to that incident, at a minimum for the employees involved. If a policy or procedure is changed, training should also be conducted on the revised policy or procedure.

Whenever training is conducted, whether internally or externally, the training must be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. This documentation becomes extremely important if there is a breach incident or an investigation by OCR.

All physician practices should strengthen their first line of defense when it comes to HIPAA compliance by ensuring that their employees are properly and periodically trained.

Kelli Fleming is a Partner at Burr & Forman LLP and practices exclusively in the firm’s Healthcare Practice Group. Kelli may be reached at (205) 458-5429 or kfleming@burr.com.

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →

Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

Posted by Mallory Camerio on May 25, 2021

by Lindsey Phillips, Burr & Forman

On December 10, 2020, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced proposed changes to the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The proposed changes, which are set out in the Notice of Proposed Rulemaking (“NPRM”), are a part of the broader initiative to promote value-based care, enable better coordination among healthcare providers, and facilitate patient autonomy and engagement.

One key theme found in the NPRM that will likely enable better coordination among healthcare providers and potentially increase patient safety is expanded permission to disclose protected health information (“PHI”) to third parties in emergency situations. For example, under the proposed changes, covered entities would be allowed more flexibility to disclose PHI in emergencies like a mental illness and substance abuse crisis. The current standard for disclosure of PHI in an emergency or health crisis is based on the covered entity’s “professional judgment.” This standard has often left covered entities unsure as to when a disclosure is permitted. The proposed modification relaxes this standard slightly in that it would allow a covered entity to disclose PHI in an emergency situation or health crisis when the covered entity has a good faith belief that the disclosure is in the best interest of the individual. A good faith belief could be based either on direct knowledge of relevant facts or representations by a person who can reasonably be expected to know relevant facts. For example, OCR has provided the following scenarios:

Good faith would permit a licensed health care professional to draw on experience to make a determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose relevant information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose. Likewise, front desk staff at a physician’s office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose relevant information to the family member or caregiver as a way of checking on the welfare of the patient, when a patient misses an appointment, based on the staff’s knowledge of the person’s involvement and a good faith belief about the patient’s best interest.

But not only would covered entities be allowed more flexibility to disclose PHI when individuals are experiencing emergencies or health crises, they would also be allowed more leniency to disclose PHI to avert a threat to safety. While covered entities are currently allowed to disclose PHI to prevent threats to health and safety, the current standard is considerably more stringent in that it allows the disclosure of PHI to avert a threat to health or safety only when the threat is “serious and imminent.” Under the changes proposed in the NPRM, covered entities could make a disclosure when the threat is “serious and reasonably foreseeable.” OCR has stated that “[a]dopting a ‘serious and reasonably foreseeable’ standard can enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is ‘imminent.'” In addition, “[a]n emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19 without delay caused by the need to assess whether the threat is sufficiently ‘imminent’ to permit the disclosure.”

These proposed modifications provide additional clarity regarding PHI disclosures that would assist in the Department’s initiatives to increase coordination among healthcare providers and ultimately improve patient safety. Both of these proposed changes would hopefully empower covered entities to disclose PHI in situations where there is a genuine belief that harm is likely without being fearful of HIPAA penalties because the harm was not imminent.

Lindsey Phillips is an associate at Burr & Forman LLP practicing exclusively in the firm’s Healthcare Industry Group.

Posted in: HIPAA, Legal Watch, MVP

Leave a Comment (0) →

The Privacy Vulnerabilities of Zoom Software and Potential Alternatives

Posted by Christina Flack on April 2, 2020

Over the past month, as more nationwide “Shelter at Home” orders have been issued and more companies have transitioned to telework, the need for online meetings and webinars has skyrocketed. To accommodate this new way of doing business, many have turned to a platform called Zoom. The problem? No one bothered to read the fine print.

For those in the healthcare field, privacy is paramount. Yet, by using Zoom, users are seceding any and all content displayed or vocalized to the company. In Zoom’s own privacy statement, some of the “Customer Content” it collects includes “information you or others upload, provide, or create while using Zoom.”[i] Additionally, Zoom also collects personal information like your name, physical address, email address, phone number, job title, employer.[ii] And, even if you don’t make an account with Zoom, it will collect and keep data on what type of device you are using, and your IP address.[iii]

Now, while Zoom has recently updated its privacy policy and is taking steps to make the platform more secure, there are issues beyond the data mining mentioned above. On Monday, for instance, the Boston office of the Federal Bureau of Investigation issued a warning[iv] saying that it had received multiple reports from Massachusetts schools about trolls hijacking Zoom meetings with displays of pornography, white supremacist imagery and threatening language — malicious attacks known as “zoombombing.”[v]

So, what’s the solution? Below are a few good alternative platforms to use instead Zoom:

Apple FaceTime (only available on iPhone and Macs)
Skype (available on all devices) (recommended)
Google Hangouts (available on all devices)
GoToMeeting (available on all devices)
Jitsi (available on all devices)
RemoteHQ (available on all devices)

[i] https://zoom.us/privacy

[iii] Id.

[iv] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemi; see also https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html?partner=IFTTT

[v] https://www.adl.org/blog/what-is-zoombombing-and-who-is-behind-it; see also https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html?partner=IFTTT

Posted in: Coronavirus, HIPAA, Legal Watch, Management, Scam

Leave a Comment (0) →

Phishing Emails: One Click and That’s It!

Posted by admin on June 21, 2019

Many health care entities recognize that cybersecurity threats present a substantial risk to their organization. Moreover, the HIPAA Security Rule requires health care providers to develop and implement policies and procedures to ensure the confidentiality, integrity and availability of protected health information. However, while entities aim to secure health data, a recent study of health care organizations concludes that phishing attacks still remain a major threat in the health care setting.

What is Phishing?

Phishing occurs when emails are sent to individuals or entities in an attempt to fraudulently gain access to personal information or introduce malware into the computer system. These emails are often disguised to look familiar to the recipient. The perpetrator may disguise their communication to appear to be from a colleague, family member or friend. They may also attest to be from a reputable source, like your bank, PayPal or other legitimate websites. They request that you click on a link or open an attachment. Fraudulent links will generally request that you update your information by entering your username or password. Some may ask for other types of personal information like address, date of birth, social security number or credit card information. Fraudulent attachments may contain malware, the most common being ransomware, which has had a significant negative impact on a number of industries, including health care.

In March of 2019, JAMA released the results of a study in which mock phishing emails were sent to employees of six U.S. hospitals over a period of almost seven years to analyze how often employees of those organizations would click on mock phishing emails. Approximately 2.9 million mock emails were sent, categorized as office related, personal or information technology emails. Just under 422,000 of those mock emails were accessed. Those numbers reflect that 1 in 7 of the mock phishing emails was opened, demonstrating how simple it is to make health care entity’s information systems vulnerable to malware attacks.

An important finding in the study was that the more employees were exposed to mock phishing emails and educated on the consequences of exposure, the less likely they were to open subsequent phishing emails. Thus, employee training and awareness campaigns are essential to reducing the threat of exposure.

Reduce Your Organization’s Risk of Being a Victim of a Phishing Scheme

There are ways that entities can reduce their risk of becoming victims of phishing attacks, including but not limited to the following:

Ensure that your entity has a clear and documented policy which addresses how employees should handle email communications. Some entities forbid accessing personal emails on work equipment while others set specific parameters. Your entity should determine the process that works best for your workforce and enforce that policy.
Train your staff on how they can identify phishing schemes and educate them on the threat that these schemes pose to your organization.
Ask your Information Technology (IT) personnel to send phishing emails to employees to test the number of employees who fall for phishing schemes after training.
Consider purchasing cyber insurance to protect your entity in the event of a malware attack.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP. The Dunson Group, LLC, is an official partner with the Medical Association.

Tags: email, HIPAA, phish, scheme, victim

Posted in: HIPAA

Leave a Comment (0) →

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

Posted by admin on June 13, 2019

Business Associate Agreements (“BAAs”) are a necessary tool for ensuring HIPAA compliance, and the negotiated terms of BAAs are becoming more and more important as we venture into an era of mass cyber attacks and related HIPAA breaches. Covered entities, such a physician practices, are required to enter into a BAA anytime they hire a third-party contractor to perform a service on the covered entity’s behalf if such contractor will require the use of and/or access to the covered entity’s protected health information (“PHI”) in order to perform such service. Examples of potential business associates include accountants, attorneys, billing companies, consultants, and marketing agencies.

Although BAAs contain a large amount of form, standard language, below are my top three provisions to address when negotiating a BAA:

Indemnity. The indemnity provision concerns whether or not the business associate will be responsible for any costs the covered entity incurs as a result of the business associate’s actions. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, claim, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the business associate responsible for the incident responsible for the associated costs.
Breach Reporting. Every BAA should address how quickly breaches of unsecured PHI, security incidents, and other improper uses and disclosures of patient information will be reported to the covered entity following the discovery by the business associate. I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with the covered entity to address the incident, and, with regard to a breach of unsecured PHI, who will be responsible for the costs of breach notification and who will provide the breach notification.
De-identification of Data. De-identified data is not covered by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use that data for any purpose, including a purpose directly profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data, and either prohibit de-identification entirely or limit the permitted uses and/or disclosures of de-identified data by the business associate to specific purposes (e.g., data aggregation or research).

Although it did not make my top three, seeing as more and more states are developing and expanding breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA is becoming more important. For providers located in Alabama, Alabama should serve as your choice of law—the location where the patient was treated and the location of the generation of the medical information.

Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a preferred partner with the Medical Association.

Tags: agreement, BAA, breach, data, HIPAA, privacy

Posted in: HIPAA

Leave a Comment (0) →

How Are HIPAA Breaches Impacting Alabama?

Posted by admin on May 2, 2019

HIPAA enforcement reached an all-time high in 2018, with financial settlements ranging from $100,000 to $16,000,000. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for providing oversight and ensuring HIPAA compliance. Last year alone, OCR resolved a total of 25,089 complaints of HIPAA violations and required at least 632 entities to adhere to Corrective Action Plans which document how those entities will attain and maintain compliance with all applicable components of the HIPAA regulations. While last year’s numbers set records and gained significant attention, those numbers are only expected to increase.

As compliance professionals and media outlets focus on the latest hacking incident or security breach, some may wonder how breaches of health care data are impacting the great state of Alabama. While Alabama has a population of fewer than 5 million people, it is no stranger to OCR investigations. In fact, a look back at the last 15 years of OCR HIPAA enforcement data reflects that the same vulnerabilities that plague states with much larger populations align with issues that burden Alabama covered entities, as well. Alabama, Florida, Minnesota, New Jersey and Ohio are identical with regard to OCR complaint resolution percentages. In these states, OCR concluded that 28% of the complaints received required corrective action on behalf of the HIPAA covered entity. Only 6 percent of complaints in these states were determined not to be violations and 66 percent of complaints were resolved after the intake and review process.

Several breaches impacting the PHI of 500+ individuals have been reported within the state of Alabama. The most recent was the 2018 breach of FastHealth Corporation, a HIPAA Business Associate which contracted with covered entities to perform website and operational services. An unauthorized third party accessed FastHealth’s web server and acquired information from their databases, impacting 1,345 Alabamians. This breach followed a previous breach by the same organization occurring in June 2017 that likewise involved their network server and affected 9,289 individuals.

While large breaches generally receive the most publicity and attention, smaller breaches can be equally as devastating. For instance, breaches involving mental health or communicable disease information can be harmful to the patient whose information was breached, even if it is just one individual. Pursuant to state statutes, breaching this type of information can open an entity up to civil liability, even if numerous individuals are not affected.

Alabama Breach Notification Statute – A Wake-Up Call

When Alabama passed the Alabama Data Breach Notification Act of 2018, many health care providers were pleased to note that there was a specific exemption for entities that were required to adhere to HIPAA. However, a careful review of the exemption language is warranted. Pursuant to Section 11, an entity that is subject to HIPAA regulations and complies with those standards are exempt so long as they do the following:

Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance.
Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.
Timely provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.

Thus, to be exempt from the Alabama statute, HIPAA covered entities must do more than simply assert exemption status due to HIPAA regulations. The entity must also demonstrate that it is in compliance with HIPAA.

New Day for Breach Notification Rule Adherence

According to Linda Sanches, Senior Advisor for HIT & Privacy at OCR, it is going to be tougher for entities to conceal breaches. It has come to the attention of OCR that there are HIPAA covered entities who do not report their breaches and have found success staying “under the radar of HIPAA enforcement.” However, Ms. Sanchez announced at the 2019 Health Care Compliance Conference that OCR was not only considering more severe action against entities that did not follow the regulations but that in the future OCR would be observing news reports, interviewing past and disgruntled employees and placing more resources towards seeking out entities that disregarded the regulations.

Alabama covered entities face the same federal regulatory authority as any other state, regardless of size, population or economy. Thus, it is important for health care providers to understand the requirements and ensure that their entity and their workforce is aware of the regulations and how those regulation impact their organization. The most recent national trends on the location and type of breaches from 2018 can be reviewed in the charts below.

Tags: alabama, breach, HIPAA, privacy

Posted in: HIPAA

Leave a Comment (0) →

HHS Lowers Annual Limits of Penalties for HIPAA Violations

Posted by admin on May 2, 2019

Published in the Federal Register on April 30, 2019, the Department of Health and Human Services (“HHS“) issued a notification to inform the public that HHS is exercising its discretion in how it applies regulations concerning the assessment of civil money penalties (“CMPs“) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), as such provision was amended by the Health Information Technology for Economic Clinical Health Act (the “HITECH Act“).

In February 2009, Congress enacted the HITECH Act which, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
the violation was due to reasonable cause, and not willful neglect;
the violation was due to willful neglect that is timely corrected; and
the violation was due to willful neglect that is not timely corrected.

Although the HITECH Act set forth different annual penalty caps for each tier (for all violations of an identical requirement or prohibition in a single year), HHS determined that the language of the penalty provisions was conflicting and allegedly referenced two levels of penalties for three of the four tiers. As a result, HHS concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to each tier of violation and that such interpretation was consistent with Congress’ intent to strengthen enforcement.

On January 25, 2013, HHS adopted a final rule that applied the annual limit of $1.5 million to all tiers of violation types, as shown in the chart below:

Upon further review by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply annual limits as shown in the chart below:

HHS is expected to engage in future rulemaking to revise the penalty tiers to better reflect the text of the HITECH Act. Until further notice, HHS stated that it will use the new tier structure shown in the chart immediately above, as adjusted for inflation.

Article contributed by Anthony Romano, a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is an official partner with the Medical Association.

Tags: cmp, HHS, HIPAA, HITECH, penalty

Posted in: HIPAA

Leave a Comment (0) →

How Can You Ensure Your Email is Safe and HIPAA Compliant?

Posted by admin on May 2, 2019

Using free email providers like Gmail, Yahoo, and MSN are expedient and easy to set up. It’s the reason why some healthcare providers rely on them. While you could stretch to make the argument that these email services can be configured to be “HIPAA capable,” none in the eyes of security experts are HIPAA compliant. And not complying with the safeguards required by HIPAA law can lead to unnecessary violations and costly fines.

What Makes Email Vulnerable?

We all send countless emails every day without thinking about it. But from a technological and safety perspective, there are several links in the chain, which make email vulnerable to malicious interference. Once an email is sent it moves from your workstation to your email server…then onto your recipient’s email server…from there your recipient’s workstation pulls the message from their server. Along the way, there’s a copy of the email stored on each workstation and server.

To satisfy HIPAA requirements, protected health information must be secure both at rest and in transit. This entails having your email messages protected while resting on workstations and servers, but also being secure until they reach the intended recipient’s inbox. There are paid services, like Google’s G Suite, that claim to be HIPAA compliant, but they don’t encrypt your email all the way to the recipient’s inbox. If your email is not secure while in transit, it is susceptible to theft.

The Business Associate Aspect

A big issue with using free email providers is the lack of business associate agreements. As a responsible health care provider, you must have signed agreements with any third-party vendor that handles your protected health information. This means your email and file sharing service needs to sign a business associate agreement in order for them to be HIPAA compliant. Unfortunately, this isn’t possible with free email providers and taking a chance on using one could have costly and disastrous consequences.

Phoenix Cardiac Surgery found this out the hard way in 2012. That’s when they were forced to pay the Department of Health and Human Services $100,000 for HIPAA violations. One of the company’s abuses— as uncovered by the Office for Civil Rights’ investigation—was transmitting electronically protected health information to its employees’ private email accounts using an internet-based email service and posting sensitive data on a publicly accessible, Internet-based calendar service. Phoenix Cardiac Surgery did not have a business associate agreement in place with these vendors, which is a violation of the HIPAA Security Rule.

The Best Way To Secure Your Email

At PCIHIPAA, we offer an email add-on that encrypts your emails and integrates with Outlook, Gmail, and other popular email providers. It’s easy to use, as it allows you to send messages as you normally would. Your recipients are able to view your messages without any software on any browser. With our HIPAA-compliant email solution, you can track and verify that your email has been received by the intended patient. We utilize military-grade end-to-end encryption which ensures that cybercriminals aren’t able to intercept your sensitive data and disrupt your business.

We’ve all heard horror stories about protected health information being compromised via email. It’s simply not worth risking HIPAA violations and fines to use an unsecured email provider.

Call us today at 800-588-0254 and let us know you’re a Medical Association of the State of Alabama member to find out how we can set up an email solution that gives your practice peace of mind and 100% assurance of being HIPAA compliant.

DETERMINE YOUR HIPAA RISK

Tags: compliant, email, HIPAA, pcihipaa

Posted in: HIPAA

Leave a Comment (0) →

Think Your Practice Management Software Makes You HIPAA Compliant?

Posted by admin on March 29, 2019

Complying with HIPAA security standards is a complex matter that demands a comprehensive solution. As a busy healthcare provider, it’s easy and convenient to trust that your practice management software satisfies the necessary HIPAA requirements to keep your electronic medical records safe. But the truth is, in most cases, it doesn’t.

A False Sense of Security

It is a common misnomer that electronic health record (EHR) systems make your practice HIPAA compliant. Companies claim they provide tools that support compliance for technical safeguards. A good thing, but technical safeguards are only one component needed to protect electronic public health information. The HIPAA Security Rule requires two other components: administrative safeguards and physical safeguards. Administrative safeguards include policies and procedures that HIPAA requires and critically important business associate agreements. Physical safeguards protect your data from breaches and unauthorized access. The platform you use to manage your practice might tout that their cloud-based system provides encryption and protection from ransomware. Great, but the question is: do they have all of the crucial aspects needed for HIPAA compliance? Read this next sentence twice. Using practice management software that purports to be HIPAA compliant does not make your practice compliant.

Unfortunately, when it comes to HIPAA compliance, a false sense of security can be dangerous. The violation fines for not following the guidelines enforced by the Department of Health and Human Services’ Office for Civil Rights are costly and can irreparably damage your practice’s reputation. In 2018 alone, HIPAA fines topped $28 million. By not properly protecting your electronic health records, you increase the likelihood of a cyberattack. Being hacked might strike you as a random, unlikely occurrence, but statistics tell a different story. According to a 2016 Lloyd’s Report, 92% of businesses experienced a data breach within a five-year period.

CALCULATE YOUR HIPAA RISK

A Complete HIPAA Solution

PCIHIPAA is an industry leader in HIPAA compliance and data breach protection. We alleviate the angst and uncertainties associated with HIPAA compliancy with a powerful tool called OfficeSafe. Here’s how our software solution fully protects HIPAA electronic medical records:

Comprehensive Risk Assessment – A risk assessment is an annual audit required under the HIPAA Security Rule. Our audit of your practice’s protected health information produces a 22-page report, identifying the potential risks and vulnerabilities to your practice.
Easy Creation of Policies and Procedures – HIPAA regulatory standards mandate that covered entities and business associates develop policies and procedures. OfficeSafe makes regularly updating your policies and procedures easy, ensuring that your staff is informed on important issues such as governing access to electronic public health information and identifying malicious software attacks.
Online Employee Training – Improperly trained employees can lead to reckless handling of electronic public health information and costly HIPAA fines. We take this time-consuming task off of your plate and ensure that your staff understands exactly what is required by HIPAA law.
Crucial Business Associate Agreements – Every vendor and individual you share protected health information with must have a business associate agreement. OfficeSafe makes creating and securely executing these agreements simple and convenient.
$500,000 Cyber Insurance Coverage – Our guaranteed expense reimbursement policy for HIPAA violations covers a range of first and third party exposures, including both physical and non-physical risks. In the event of a HIPAA fine, data breach, or cyberattack, we’ll protect your practice from lost revenue and prevent an interruption to your business.
Email Encryption and Encrypted Cloud-Based Data Backup – At PCIHIPAA, keeping your data secure is our top priority. Our data backup solution is HIPAA compliant with 256-bit encryption and SQL database restoration capabilities. It enables you to distribute confidential protected health information without worry of ransomware or an unexpected incident.
Incident Response Management – Do you have a plan in place in the event of a hurricane, fire, or ransomware attack? Proper preparation—including a data backup plan, a data restoration plan, and an emergency mode operations plan—is a necessity. With OfficeSafe, once you report an incident we’ll work with your IT provider to mitigate the damage and get your business back on track.
PCI Certification – PCI is part of our company name for a good reason. As part of our compliance program, we help you complete the Payment Card Industry (PCI) requirements. Our PCI Compliance program also includes quarterly scans of your network.

The dark web is getting smarter. The risk of not fully and properly securing and maintain your patient’s medical records is a mistake your business can’t afford to make. The good news is peace of mind for your practice and your patients is a click away. Take a complimentary HIPAA Assessment right now, and be on your way toward total HIPAA compliance.