Posts Tagged risk

Don’t Forget Your Risk Assessments!

Don’t Forget Your Risk Assessments!

Many medical practices are planning their Security Risk Assessments for the new year. Whether to better qualify for the 2019 Merit-based Incentive Payment System (MIPS) or to fulfill obligations to comply with the HIPAA Security Rule, a strong strategy now will reap benefits later. It’s a good time to remember what is required when conducting a Security Risk Assessment, as there tends to be confusion around what the Risk Assessment should include.

Here are some helpful reminders as we move through the first quarter of the year:

It’s Not Just a Checklist. A proper Security Risk Assessment is a thorough process where a covered entity under HIPAA should identify, prioritize and estimate the risks to practice operations resulting from the use of or implementation of a specific technology. Once the risks are identified, a plan of mitigation should be created that provides a roadmap for ongoing risk management.

Don’t Just Focus on EMR. While your EMR system, and the safeguards in place to protect EMR data, should absolutely be part of the Risk Assessment process, time should also be spent analyzing and assessing the risk to protected data that sits outside the EMR system. Identify the ePHI in the practice that resides outside the EMR application (e.g. files stored on users’ personal computers, data stored in ancillary systems, copiers and scanners, etc.) and assess the risk associated with this data as part of the assessment.

No Specific Methodology Required. While OCR has provided practices with guidance regarding the Security Risk Assessment Requirement, there is no mandatory process or method by which a practice must follow to comply with the requirement. However, most security professionals recommend following accepted industry frameworks, such as those provided by the National Institute of Standards and Technology (NIST).

Revisit Previous Risk Assessments to Show Progress. When conducting a new Security Risk Assessment, review past analysis and make an effort to document progress made with regards to risk mitigation. As the spirit of the Security Rule has always been to encourage covered entities to use the Risk Assessment as a starting point for ongoing Risk Management, documenting progress made will show the practice doesn’t simply consider the Assessment a rote exercise but a vital part of managing and mitigating risk on an ongoing basis.

You Don’t Have to Outsource Your Security Risk Assessment. OCR is very quick to point out there is no requirement, neither in the Security Rule nor under MIPS, for covered-entities to outsource their Security Risk Assessment. In fact, OCR has published a free, downloadable tool that practices can use to help with efforts to fulfill requirements ( However, OCR does go out of its way to explain the time commitment and skillset required to adequately evaluate and utilize the tool, and encourages all covered-entities to seek professional assistance when considering using these resources to self-perform the Security Risk Assessment.

A thorough Security Risk Assessment must stand up to an auditor or investigator, especially in the event of a security incident. A lack of proper Risk Analysis is cited in many investigative findings that have also carried large financial penalties. Take the time to consider how your practice will approach the Security Risk Assessment in 2019, and consider it as an opportunity to genuinely look at where you might be vulnerable and how the Assessment can be used as a springboard for true Risk Management.


Nic Cofield is Director of Client Services with Jackson Thornton Technologies LLC (JTT). JTT is one of the Southeast’s leading providers of managed IT services, cybersecurity services/consulting and IT Risk Assessments to health care providers. JTT is wholly owned by Jackson Thornton CPAs & Consultants, which is a partner with the Medical Association.

Posted in: Management

Leave a Comment (0) →

Think Your Practice Management Software Makes You HIPAA Compliant?

Think Your Practice Management Software Makes You HIPAA Compliant?

Complying with HIPAA security standards is a complex matter that demands a comprehensive solution. As a busy healthcare provider, it’s easy and convenient to trust that your practice management software satisfies the necessary HIPAA requirements to keep your electronic medical records safe. But the truth is, in most cases, it doesn’t.

A False Sense of Security

It is a common misnomer that electronic health record (EHR) systems make your practice HIPAA compliant. Companies claim they provide tools that support compliance for technical safeguards. A good thing, but technical safeguards are only one component needed to protect electronic public health information. The HIPAA Security Rule requires two other components: administrative safeguards and physical safeguards. Administrative safeguards include policies and procedures that HIPAA requires and critically important business associate agreements. Physical safeguards protect your data from breaches and unauthorized access. The platform you use to manage your practice might tout that their cloud-based system provides encryption and protection from ransomware. Great, but the question is: do they have all of the crucial aspects needed for HIPAA compliance? Read this next sentence twice. Using practice management software that purports to be HIPAA compliant does not make your practice compliant.

Unfortunately, when it comes to HIPAA compliance, a false sense of security can be dangerous. The violation fines for not following the guidelines enforced by the Department of Health and Human Services’ Office for Civil Rights are costly and can irreparably damage your practice’s reputation. In 2018 alone, HIPAA fines topped $28 million. By not properly protecting your electronic health records, you increase the likelihood of a cyberattack. Being hacked might strike you as a random, unlikely occurrence, but statistics tell a different story. According to a 2016 Lloyd’s Report, 92% of businesses experienced a data breach within a five-year period.

A Complete HIPAA Solution

PCIHIPAA is an industry leader in HIPAA compliance and data breach protection. We alleviate the angst and uncertainties associated with HIPAA compliancy with a powerful tool called OfficeSafe. Here’s how our software solution fully protects HIPAA electronic medical records:

  • Comprehensive Risk Assessment – A risk assessment is an annual audit required under the HIPAA Security Rule. Our audit of your practice’s protected health information produces a 22-page report, identifying the potential risks and vulnerabilities to your practice.
  • Easy Creation of Policies and Procedures – HIPAA regulatory standards mandate that covered entities and business associates develop policies and procedures. OfficeSafe makes regularly updating your policies and procedures easy, ensuring that your staff is informed on important issues such as governing access to electronic public health information and identifying malicious software attacks.
  • Online Employee Training – Improperly trained employees can lead to reckless handling of electronic public health information and costly HIPAA fines. We take this time-consuming task off of your plate and ensure that your staff understands exactly what is required by HIPAA law.
  • Crucial Business Associate Agreements – Every vendor and individual you share protected health information with must have a business associate agreement. OfficeSafe makes creating and securely executing these agreements simple and convenient.
  • $500,000 Cyber Insurance Coverage – Our guaranteed expense reimbursement policy for HIPAA violations covers a range of first and third party exposures, including both physical and non-physical risks. In the event of a HIPAA fine, data breach, or cyberattack, we’ll protect your practice from lost revenue and prevent an interruption to your business.
  • Email Encryption and Encrypted Cloud-Based Data Backup – At PCIHIPAA, keeping your data secure is our top priority. Our data backup solution is HIPAA compliant with 256-bit encryption and SQL database restoration capabilities. It enables you to distribute confidential protected health information without worry of ransomware or an unexpected incident.
  • Incident Response Management – Do you have a plan in place in the event of a hurricane, fire, or ransomware attack? Proper preparation—including a data backup plan, a data restoration plan, and an emergency mode operations plan—is a necessity. With OfficeSafe, once you report an incident we’ll work with your IT provider to mitigate the damage and get your business back on track.
  • PCI Certification – PCI is part of our company name for a good reason. As part of our compliance program, we help you complete the Payment Card Industry (PCI) requirements. Our PCI Compliance program also includes quarterly scans of your network.

The dark web is getting smarter. The risk of not fully and properly securing and maintain your patient’s medical records is a mistake your business can’t afford to make. The good news is peace of mind for your practice and your patients is a click away. Take a complimentary HIPAA Assessment right now, and be on your way toward total HIPAA compliance.

Posted in: HIPAA

Leave a Comment (0) →

Do You Know How to Easily Avoid a HIPAA Penalty?

Do You Know How to Easily Avoid a HIPAA Penalty?


Individuals cannot file a lawsuit for alleged HIPAA violations
but can file a legal action under many state laws?

In situations, such as data breaches, in which individuals’ personal information is compromised, individuals can pursue lawsuits seeking relief for damages.



*There is no obligation to purchase our services. Only an obligation to take the assessment and document your office’s key vulnerabilities.



“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.”

Roger Severino
Director, Office for Civil Rights


Free HIPAA Compliance Webinar

Protect your patient’s Protected health Information

Avoid HIPAA violations and penalties

Save yourself from the headaches of HIPAA compliance



Ruling Reaffirms Individuals Cannot File HIPAA Lawsuits

A federal court recently dismissed a case filed by a patient alleging a laboratory violated HIPAA by failing to shield from public view her personal health information displayed on a computer intake station.

The ruling reaffirmed a longstanding precedent that individuals cannot file a lawsuit, known as a “private cause of action,” for alleged HIPAA violations.

Privacy attorney Iliana Peters of the law firm Polsinelli points out, however, that individuals can file legal action under many state laws.

“It’s extremely important to note that although HIPAA does not have a private right of action, many state laws require entities, both healthcare entities and others, to implement HIPAA-like protections for consumer data, and have stiff penalties,” she says.

For alleged HIPAA violation cases, the Department of Health and Human Services Office for Civil Rights and state attorneys general are the only parties that can bring legal action, Golding notes.

Read More


Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information.

Avoid willful neglect and the associated HIPAA penalties by attending your no-obligation, 30-minute Risk Review after you complete your complimentary HIPAA Risk Assessment.

PCIHIPAA will review your HIPAA risk assessment and suggest HIPAA compliant policies and procedures.


As a member of the Medical Association of the State of Alabama, you will receive (with no further obligation):


  1. Complimentary 2018 HIPAA Risk Assessment
    Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection



If you have any questions, call PCIHIPAA at (800) 588-0254. Let them know you are a member of the Medical Association of the State of Alabama.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA Illiteracy Is Considered Willful Neglect

HIPAA Illiteracy Is Considered Willful Neglect



Unsure of your practice’s vulnerabilities?




Judge Rules in Favor of OCR and Requires $4.3 Million in Penalties for HIPAA Violations

OCR’s investigation found that MD Anderson had written encryption policies and risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high-risk findings, MD Anderson failed to encrypt its inventory of electronic devices containing ePHI.


Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information. MD Anderson knew of their vulnerabilties and high risk findings, but failed to act.

Avoid Willful Neglect and the associated HIPAA penalties starting with a Confidential Risk Assessment.

Attend your no-obligation risk analysis review and have a PCIHIPAA Senior Compliance Officer review your HIPAA risk assessment and suggest HIPAA compliant solutions to your vulnerabilities.



Not protecting the privacy and security of your patient information leads to non-compliance fines, data breaches and reputational risk.

Practices are responsible for patient’s protected health information no matter the consequences.


Let PCIHIPAA know you are a member of the Medical Association of the State of Alabama and claim:

  1. Complimentary 2018 HIPAA Risk Assessment Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection



Get on the path to compliance in less than 60 days


PCIHIPAA  |  Products & Services  |  800-588-0254  |

PCIHIPAA takes the guesswork out of HIPAA Compliance.
We make sure HIPAA and PCI Compliance is simple and easy to manage.
We work with 1,000’s of practices like yours.
A+ rating with the BBB.

Posted in: HIPAA

Leave a Comment (0) →

Liquid Gold or Reimbursement Trap? Payor Reimbursement Policies for Urine Drug Testing

Liquid Gold or Reimbursement Trap? Payor Reimbursement Policies for Urine Drug Testing

Last summer, we wrote about physician roles and responsibilities to implement best practices in pain management programs and other treatments involving the prescription of opioids.1 Here we discuss issues related to getting paid to implement one of these best practices — appropriate urine drug testing.

The urine drug testing field has been described as a huge profit center with a growing number of clinics that run their own testing operations instead of farming them out to independent labs;2 but the numbers don’t always add up. This article takes a closer look at urine drug testing guidance from the Alabama Board of Medical Examiners and the Centers for Disease Control and Prevention and examines the urine drug testing policies for Medicare and Blue Cross & Blue Shield of Alabama to highlight an area where best practice and payor policies don’t always agree.

The “Best Practices”

When the BME finalized a new rule last year regarding risk mitigation strategies (RMS) for physicians prescribing controlled substances, urine drug testing was one of several recommended aspects of the RMS.3 The BME’s rule does not specify the frequency with which physicians should use urine drug testing in their RMS, but the CDC’s guidance4 on opioid prescribing best practices is informative.

According to the CDC’s study, experts agreed clinicians should use urine drug testing before the initiation of treatment using opioids and periodically thereafter to assess for prescribed opioids, other controlled substances, and illicit substances that may increase the risk of overdose when
combined with opioids. However, experts disagreed on the frequency with which urine drug testing should be used to monitor treatment regimens
and patient compliance, as well as on the degree to which urine drug testing should apply to all patients uniformly, as compared to individual case-by-case determinations.

The study also addresses the appropriate use of qualitative “screening” panels and quantitative “confirmatory” or “definitive” testing. The CDC recommends relatively inexpensive screening panels for illicit drugs and commonly prescribed opioids prior to initiation of treatment. More expensive confirmatory testing should be reserved “for situations and substances for which results can reasonably be expected to affect patient management” (e.g. in the case of positive screenings or unexpected negative screenings).

These suggested best practices can have a positive impact on patient treatment involving opioids and other controlled substances, but they may put
physicians in the position of ordering tests for which reimbursement is not available. In fact, as the CDC report acknowledged, the direct costs of urine drug testing “often are not covered fully by insurance.”

Sometimes, it just doesn’t pay…

Payors impose different requirements regarding medical necessity and frequency of drug testing. If you read through the BCBSAL and Medicare urine drug testing policies, it may seem the differences between the two policies are minor. However, these two payors differ on the frequency of monitoring screenings (after the initiation of treatment) that are considered medically necessary, as well as on their coverage policies for confirmatory tests.5

The most notable coverage difference we have seen between the two programs is in their application of the confirmatory testing policies,
specifically each payor’s interpretation of the word “test.” To illustrate, consider the following G-codes for confirmatory/definitive drug testing: G0480 (definitive drug test for 1-7 drug class(es)), G0481 (definitive drug test for 8-14 drug class(es)), G0482 (definitive drug test for 15-21 drug class(es)), and G0483 (definitive drug test for 22 or more drug class(es)). Medicare treats each G-code as a “test” for purposes of counting tests toward a coverage or benefit limit.6

By contrast, it is our understanding from conversations with BCBSAL that they consider each drug or drug class to represent a “test” for coverage and benefit limits, despite the fact that each G-code comprises a range of drug classes in multiples of seven. Because BCBSAL limits coverage of confirmatory tests to three tests per qualitative drug screen, in theory, reimbursement to providers would only be covered by BCBSAL under G-code G0480 for up to three drug classes tested per qualitative screening. To the extent providers bill BCBSAL for additional confirmatory tests beyond the three-test limit, they would likely be non-covered or result in an overpayment. BCBSAL’s restrictive policies are certainly a limiting factor on physicians trying to implement the best practices described above, and physicians should be aware of the different coverage policies between Medicare and BCBSAL with regard to confirmatory tests.

We chose to highlight this particular coverage policy difference between Medicare and BCBSAL because it is not readily apparent from a reading of the two policies. However, there are other nuanced aspects of payor policies on urine drug testing. Physicians and billing/coding personnel should consult the relevant payor billing guidelines, with the assistance of counsel as necessary, in order to determine coverage for a particular test or service.


1 Christopher L. Richard, Just What the Doctor Ordered: An Alabama Perspective on the Opioid Epidemic, Alabama Medicine, Summer 2017, at 4.

2 See, e.g. David Segal, In Pursuit of Liquid Gold, New York Times (December 27, 2017),

3 Ala. Admin. Code r. 540-X-4-.09(2)(b) (March 9, 2017).

4 Deborah Dowell, MD et al., CDC Guideline for Prescribing Opioids for Chronic Pain—United States, 2016, CDC: Morbidity and Mortality Weekly Report (March 18, 2016), available at

5 See BlueCross BlueShield of Alabama Policy No. 566, Drug Testing (last reviewed December 2016), available at; Local Coverage Determination (LCD): Controlled Substance Monitoring and Drugs of Abuse Testing (L35724),,*1&Cntrctr=381&name=&DocType=Active&s=34%7c48%7c53%7c58&bc=AggAAAQBAAAA&.

6 2017 Controlled Substance Monitoring and Drugs of Abuse Coding and Billing Guidelines (M00128 V5), Palmetto GBA, (describing each G-code as a “service” and providing that providers may only perform and report one G-code per date of service).

Article contributed by Christopher L. Richard with Gilpin Givhan, P.C. Gilpin Givhan, P.C., is an official Bronze Partner with the Medical Association

Posted in: Legal Watch

Leave a Comment (0) →

Breach Notification…Who, How, When?

Breach Notification…Who, How, When?

February is typically a very busy month for health care compliance professionals because the majority of breaches are required to be reported to the Department of Health and Human Services (HHS) within the first 60 days of the calendar year following the breach. However, the type of breach determines the applicable deadline so it is very important to know what needs to be reported to whom and when.

Entities regulated by HIPAA, including healthcare providers, health plans and business associates, must identify breaches in an adequate and timely manner and respond to breaches accordingly. This response includes identifying the occurrence, thoroughly investigating the incident, completing a thorough Breach Assessment of the incident and timely reporting conclusions to the appropriate parties.

A “breach” is an impermissible use or disclosure that compromises the privacy or security of protected health information. When a breach occurs in a health care setting, the entity may be required to provide notice of the breach to affected parties, including the patient or client, HHS and in some instances media outlets.


Health care entities are required to assess all breaches by considering the likelihood that patient or client protected health information was compromised. This is different than the previous harm standard, which required a determination of whether the breach caused a significant risk of financial, reputational or other harm. Under the compromise standard, consideration is given to the identity of the individual to whom the information was wrongfully provided and the possibility of that individual being able to retain and/or utilize the information.

Entities rely on their Breach Assessment tool to assist them with developing conclusions about the status of a breach. Unless an entity can substantiate and document that the breach was low-risk, it must be reported to appropriate parties as a breach. Pursuant to federal regulation, specific elements must be considered before an entity can determine a breach to be low-risk. Those elements include:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.[1]

These elements, in addition to other documented analysis, must be included on the entity’s Breach Assessment. This document should be customized to the entity and identify criteria that would lead to an objective determination about the nature of the breach.

The adequacy of an entity’s Breach Assessment tool is vital to that entity reaching an appropriate conclusion. The Breach Assessment should document the type of breach and the source of the breach. It should reflect whether it was an oral breach or whether documentation was shared. It should consider whether the individual with whom the information was shared is also a workforce member of a HIPAA-covered entity or whether that individual had any duty to keep the information confidential. After considering these questions, in addition to other factors, the entity should be able to make a reasonable determination about whether the protected health information was compromised.

Content of Notice

If an entity determines that a breach occurred and that breach notification is necessary, they must provide notice of the breach, which at a minimum includes the following:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.[2]

Timeliness Requirements

Entities must adhere to specific deadlines for breach reporting. The timeline is considered to have started on the date that the entity “knew or should have known of the breach.” Meaning that the entity either had direct knowledge of the breach or in the exercise of due diligence the entity should have been aware that the breach took place. This should have known element is important because it holds entities responsible for breaches based on an objective standard which discourages entities from pretending to be unaware of breach incidents.

Notification deadlines are directly related to the size of the breach. Breaches fewer than 500 individuals require notification to the patient within 60 days of discovery of the breach, also known as Individual Notice. Additionally, for breaches fewer than 500, notification must be provided to HHS within the first 60 days of the following calendar year.

Breaches involving 500 individuals or greater require entities to meet the Individual Notice standard described above, but it also requires simultaneous notice to HHS and media notice. Media notice is required to take place both in the place where the entity does business and in the location where the individuals affected by the breach reside. For example, a practice is located in Montgomery, Ala., and they provide services to patients in Montgomery and in Huntsville, Ala. The entity will be responsible for contacting media outlets in both Montgomery and Huntsville to ensure that consumers are informed of the breach. Additionally, if the entity has a website the notice must also be placed on the entity website.

Wall of Shame (for breaches of 500 individuals or greater)

The HHS Office of Civil Rights (OCR) notifies the public of large breaches in an effort to strengthen consumer trust and transparency. These breaches can be found on the HHS website and are known in the health care industry as the “Wall of Shame.” This Wall of Shame identifies entities that are currently under investigation, as well as entities who have already settled their cases with HHS or otherwise resolved their cases through administrative proceedings. It documents the name of the entity, the exact number of people involved in the incident and the type of breach. While the Wall of Shame generally reports incidents that occurred within the last two years, there is also an archive section that allows consumers to review cases occurring before that cut off period. You can view the HHS Wall of Shame by utilizing the following link:

Understanding the Breach Notification Rule can be tricky. This area of the regulations has many aspects that require professionals to perform specific analysis as they navigate each incident. Your entity compliance professional should be trained on the requirements and ensure that your policies and procedures are updated regularly. Your entity can report breaches to HHS by utilizing the following link:

Should your entity have questions regarding the Breach Notification Rule, they should contact a healthcare compliance professional for guidance.

[1] 45 CFR 164.402(a)(2)

[2] 45 CFR 164.404 (c)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.

Posted in: HIPAA

Leave a Comment (0) →

Report: Deaths from Cancer Higher in Rural America

Report: Deaths from Cancer Higher in Rural America

Despite decreases in cancer death rates nationwide, a new report shows slower reduction in cancer death rates in rural America (a decrease of 1.0 percent per year) compared with urban America (a decrease of 1.6 percent per year), according to data released today in CDC’s Morbidity and Mortality Weekly Report. The report is part of a series of MMWR studies on rural heath.

The report is the first complete description of cancer incidence and mortality in rural and urban America. Researchers found that rates of new cases for lung cancer, colorectal cancer, and cervical cancer were higher in rural America. In contrast, rural areas were found to have lower rates of new cancers of the female breast and prostate. Rural counties had higher death rates from lung, colorectal, prostate, and cervical cancers.

“While geography alone can’t predict your risk of cancer, it can impact prevention, diagnosis and treatment opportunities – and that’s a significant public health problem in the U.S.,” said CDC Acting Director Anne Schuchat, M.D. “Many cancer cases and deaths are preventable and with targeted public health efforts and interventions, we can close the growing cancer gap between rural and urban Americans.”

In the study, researchers analyzed cancer incidence data from CDC’s National Program of Cancer Registries and the National Cancer Institute’s Surveillance, Epidemiology, and End Results program. Cancer deaths were calculated from CDC’s National Vital Statistics System. Counties were grouped by urbanization and population size.

Key findings from analysis of cancer rates

  • Death rates were higher in rural areas (180 deaths per 100,000 persons) compared with urban areas (158 deaths per 100,000 persons). Cancer deaths in rural areas decreased at a slower pace, increasing the differences between rural and urban areas.
  • While overall cancer incidence rates were somewhat lower in rural areas (442 cases per 100,000 persons) than in urban areas (457 cases per 100,000 persons), incidence rates were higher in rural areas for several cancers, including those related to tobacco use such as lung cancer and those that can be prevented by cancer screening such as colorectal and cervical cancers.
  • While rural areas have lower incidence of cancer than urban areas, they have higher cancer death rates. The differences in death rates between rural and urban areas are increasing over time.

“Cancer – its causes, its prevention, and its treatment – is complicated,” said Lisa C. Richardson, M.D., oncologist and director of CDC’s Division of Cancer Prevention and Control. “When I treat cancer patients, I don’t do it alone – other healthcare professionals and family members help the patient during and after treatment. The same is true for community-level preventive interventions. Partnerships are key to reducing cancer incidence and the associated disparities.”

The CDC researchers identify a number of proven strategies that can reduce the gaps in new cancer cases and deaths. Healthcare providers in rural areas can:

    • Promote healthy behaviors that reduce cancer risk. Prevent tobacco initiation, promote tobacco cessation, and eliminate secondhand smoke exposure. Limit excessive exposure to ultraviolet rays from the sun and tanning beds. Encourage physical activity and healthy eating to prevent and reduce obesity, which is associated with several types of cancer.
    • Increase cancer screenings and vaccinations that prevent cancer or detect it early. Recommend patients receive vaccination against cancer-related infectious diseases such as HPV and hepatitis B virus. Recommend appropriate cancer screening tests such as Pap tests and colonoscopy.
    • Participate in the state-level comprehensive control coalitions. Comprehensive cancer control programs focus on cancer prevention, education, screening, access to care, support for cancer survivors, and overall pursuit of good health.

These data from CDC provide a clear direction for the work that needs to be done to reduce cancer disparities throughout the U.S., and provide the foundation for proven strategies that could be implemented. Proven strategies to improve health-related behaviors, increased use of vaccinations that prevent infections that can cause cancer, and use of cancer screening tests – particularly among people that live in rural and underserved areas – can help reduce the rates of cancer and cancer deaths across America.

For more information on rural health:

Posted in: Health

Leave a Comment (0) →

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

A Risk Analysis Is Your Entity’s Annual HIPAA Checkup

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, availability and integrity of electronic protected health information (ePHI). This process must be documented as a Risk Analysis. Covered entities must develop a Risk Analysis at their inception and review the Risk Analysis at least annually to identify potential changes to their information systems, physical environment, and/or the regulatory environment that may affect how they handle ePHI.

When performing a Risk Analysis, entities should review the HIPAA regulations and recommendations from the National Institute of Standards and Technology (NIST). Although federal agencies are the only entities required to comply with NIST, these guidelines act as the industry standard and should be followed by all covered entities.

Generally, a Risk Analysis is performed by the entity’s Security Officer. HIPAA requires each entity to have a designated Security Officer.  This designation must be in writing. The designated Security Officer must be familiar with the entity’s operations and competent in Information Technology. In accordance with NIST standards, the Security Officer should take the following steps to create or review the Risk Analysis:

  1. Determine where the entity’s ePHI is stored;
  2. Interview management to determine how workforce members utilize ePHI;
  3. Review access security settings and controls of the information systems;
  4. Determine the present and potential threats to ePHI;
  5. Determine the likelihood and impact of current and potential threats and assign them a risk level of high, medium or low;
  6. Document the Risk Analysis process and attach it to the updated Risk Analysis; and
  7. Work with management to resolve all threats within a reasonable period, with priority given to issues of higher risk and vulnerability.

Risk Analysis Content

A Risk Analysis shall include the evaluation of administrative, technical and physical safeguards.

Administrative Safeguards are defined as “administrative actions, and policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.[1]  Administrative safeguards include the following:

  1. Assigned Security Responsibilities
  2. Security Management
  3. Information Access Management
  4. Business Associate Agreements
  5. Security Incident Procedures
  6. Security Awareness and Training
  7. Workforce Security
  8. Contingency Plans
  9. Evaluation

Technical safeguards are defined as “technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”[2]  Technical safeguards include the following:

  1. Access Controls
  2. Audit Controls
  3. Integrity
  4. Person or Entity Authentication
  5. Transmission Security

Physical safeguards are defined as “physical measures, policies, and procedures to protect a covered entity‘s or business associate‘s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”[3] Physical safeguards include the following:

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

The completed Risk Analysis must be maintained for at least six (6) years and should be kept in paper and electronic form.

Risk Analysis vs. Risk Management

Health care entities often confuse Risk Analysis and Risk Management. While a Risk Analysis serves to identify threats and estimate their risks, Risk Management is the process of managing identified risks. Risk Management consists of the development of policies and procedures that dictate how to address identified risks.

Several Risk Analysis Tools exist that entity’s can utilize. However, the Department of Health and Human Services (HHS) encourages entities to seek expert advise when completing a Risk Analysis to ensure that the Risk Analysis is accurate and thorough. Additionally, the National Institute of Standards and Technology (NIST) has produced a series of publications that can assist covered entities with understanding information technology security. Those publications can be viewed by visiting

A proper Risk Analysis is a necessity not only because it is required by HIPAA regulations, but also because it offers the entity the best opportunity to identify and deal with risks associated with the preservation of ePHI.  Finally, in the event a covered entity has to answer for a breach of PHI, the failure to produce a proper Risk Analysis could lead to sufficient justification for punitive action by HHS.

[1] 45 CFR 164.304

[2] 45 CFR 164.304

[3] 45 CFR 164.304

The Dunson Group is a health care compliance law firm in Montgomery, Ala., focused on helping health care providers meet regulatory requirements. Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, and regularly contributes articles of special interests to physicians and practice managers.

Posted in: HIPAA

Leave a Comment (0) →