Archive for Technology

Summary of Telehealth Waivers as of April 1, 2020

Summary of Telehealth Waivers as of April 1, 2020

By: Jim Hoover, Burr & Forman, LLP

The changes made to the requirements for telehealth services since the start of the COVID-19 pandemic have been swift and substantial. For the first several weeks, it seems changes were made almost daily.  As time has passed, the changes to telehealth have stabilized enough that a summary of the current telehealth issues is possible. However, changes may still be forthcoming so the following is a summary of the significant topics related to providing telehealth services as of the date of this article. Physicians should continue to monitor announcements related to telehealth requirements as changes will surely continue to evolve. 

Medicare – On March 30, 2020, the Centers for Medicare & Medicaid Services (CMS) announced additional temporary expansion of telehealth services to Medicare beneficiaries. CMS’s announcement of this new reimbursement flexibility builds on its prior expansion of telehealth services to address the COVID-19 pandemic. Prior to the March 30, 2020 announcement, CMS announced the following: (1) the patient location requirement was being waived to allow the patient to be in their home or other location; (2) the audio-video link can be something as simple as Skype, FaceTime or Facebook Messenger video calls. However, the audio-video link has to be a real-time audio and a one-to-one video connection, and cannot be public-facing; (3) the patient cost share can be waived at the providers’ discretion; and (4) CMS stated it will not audit to verify that there is an established patient relationship.

CMS announced in its March 30, 2020 announcement that it is now also allowing Medicare beneficiaries to receive care via telehealth by: (1) adding more than 80 services to the list of services payable under the Medicare Physician Fee Schedule when furnished via telehealth, including emergency department visits, initial nursing facility and discharge visits, critical care services, home visits for new and established patients, and physical and operational therapy services; (2) allowing clinicians to provide Virtual Check-In services to new patients in the same manner as they previously could provide only to established patients; (3) allowing licensed clinical social workers, clinical psychologists, physical therapists, occupational therapists, and speech language pathologists to provide e-visits; (4) allowing clinicians to provide certain services by audio phone only to their patients; (5) allowing clinicians to provide Remote Patient Monitoring, for acute or chronic conditions, to both new and established patients; (6) removing certain frequency limitations on Medicare telehealth; (7) expanding the use of telehealth to certain home health and hospice services; and (8) expanding the definition of “homebound” so that when a physician determines that a Medicare beneficiary should not leave the home due to suspected or confirmed COVID-19, the patient can qualify for the Medicare Home Health benefit.

Medicare Miscellaneous Issues – Patient consent may be obtained annually and obtained by ancillary staff.  Direct Supervision of services, such as incident-to services, normally require that the supervising/billing physician be in the office suite and immediately available. However, for the duration of the PHE, direct supervision can be provided by real-time interactive audiovisual technology.

Billing

Medicare – As an initial matter, telephone calls are still not the same as telehealth for Medicare purposes. A full list of the Compliant List of Medicare Telehealth and the Medicare Telehealth Code List for 2019-2020 is located on CMS’ website at the following address https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes.

CMS is allowing payment for certain codes related to telehealth services because as an example, CMS recognizes that some problems can be handled over the phone without a face-to-face, but may require more than the 5-10 minutes. The codes for established patients for physician or other qualified professionals (nurse practitioners or physician assistants) include 99441 (requires 5-10 minutes of medical discussion), 99442 requires 11-20 minutes of medical discussion), 99443 (requires 21-30 minutes of medical discussion). Practitioners should report the E/M code that best describes the nature of the care they are providing. Previous guidance was to use POS 02 that will cause payment to be made at the lower facility rate. Alternatively, providers can choose to use the POS code that most accurately reflects where the service is performed and append modifier 95. This will cause payment to be made at the higher non-facility rate.

Alabama Medicaid – Medicaid normally requires separate credentialing for providers performing telehealth; however, that restriction has been waived for the time period for dates of service from 3/16/2020 – 4/16/2020. Medical providers may bill established patient evaluation and management codes 99211, 99212 and 99213 for telephone consultations. Psychologists and behavioral health professionals should bill 90832, 90834, 90837, 90846, 90847 and H2011. Verbal consent must be obtained and documented in the medical record. These visits will count against the patient’s office visit limit of 14 visits per year.

Blue Cross and Blue Shield of Alabama – is allowing providers to bill for telephone call treatment of existing patients under the established patient office visit codes for dates of service from 3/16/2020 – 4/16/2020. They are allowing codes up to 99213 with place of service code 02 for telehealth. No modifier is required. The physician should be the one speaking with the patient — not the office staff.

HIPAA – Over the past several weeks, the Office for Civil Rights (“OCR”) has issued several notices regarding HIPAA in light of the current COVID-19 pandemic. The OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency. OCR stated that it would relax its enforcement actions with regard to compliance with certain aspects of HIPAA (and not enforce penalties) in order to allow providers to better treat their patients via telehealth. A health care provider that wants to use audio or video communication technology to provide telehealth to patients during the public health emergency can use any non-public facing remote audio or video communication product that is available to communicate with patients. Health care providers may use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. However, communication applications that are public facing should not be used. OCR further stated that it would not impose penalties against health care providers for the lack of a Business Associate Agreement with video communication vendors. The above applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. The OCR also issued additional guidance in the form of frequently asked questions (FAQs) which are available at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.  

State Licensure – Most states have greatly relaxed or streamlined their licensing requirements and application process to make it easier for physicians to provide telehealth services across state lines. However, the application process and requirements for each state differ so it is extremely important for physicians to check with each state. For example, the state of Tennessee requires the practitioner to complete and submit an application, which can be found at: https://www.tn.gov/content/dam/tn/health/documents/cedep/novel-coronavirus/Boards-Executive-Order-Form.pdf. The determination is made on a case by case basis. It appears most applications are being approved by the Tennessee Department of Health because as of the end of March 2020 the Department had received 61 applications and approved 59 applications, denied one, and one was under review. The State of Florida, for purposes of preparing for, responding to, and mitigating any effect of COVID-19, permits health care professionals not licensed in Florida to provide health care services to a patient located in Florida using telehealth, for a period not to exceed 30 days unless extended by order of the State Surgeon General. The exemption applies only to out of state health care professionals holding a valid, clear, and unrestricted license in another state or territory in the United States who are not currently under investigation or prosecution in any disciplinary proceeding in any of the states in which they hold a license.

While the telehealth waivers and notifications have slowed down in recent days, it is still very important for physicians to keep updated on the various requirements from state licensing authorities and payors.

Jim Hoover practices with Burr & Forman LLP and works exclusively within the firms Health Care Industry Group and primarily handles healthcare litigation and compliance matters.

Posted in: Legal Watch, Medicaid, Medicare, Technology

Leave a Comment (0) →

Telehealth in Alabama during COVID-19 Public Health Emergency (PHE)

Telehealth in Alabama during COVID-19 Public Health Emergency (PHE)

prepared by Kim Huey, MJ, CHC, CPC, CCS-P, PCS, CPCO, COC

March 19, 2020

The most important thing to remember is that payers have differing definitions of what they consider telehealth.  I recommend checking with the applicable insurer for the most up-to-date information affecting requirements for coding and billing of telehealth services.  A few things to ask about: 

  • What are the effective dates?  Most insurers are limiting this exemption to a specific period of time. 
  • What services are covered? 
  • How are those to be billed? 
  • Do we use telehealth codes or office visit codes? 
  • What place of service? 
  • What modifiers are necessary?
  • For fee-for-service, traditional Medicare

The information below pertains to the major payers in Alabama as of 3/18/2020 –

Blue Cross Blue Shield of Alabama is allowing providers to bill for phone call treatment of existing patients under the established patient office visit codes from 3/16/2020 – 4/16/2020.  They are allowing codes up to 99213 with place of service code 02 (zero two) for telehealth. No modifier is required.  Many providers are concerned about reaching that level of service when no examination can be performed.  Remember that established patient office visits require only two of the three key components – history, examination, medical decision-making.  If the physician documents an expanded problem-focused history and low complexity medical decision-making, 99213 will be supported.  This must be the physician speaking with the patient, not the office staff.

Alabama Medicaid normally requires separate credentialing for providers performing telehealth; however, that restriction has been waived 3/16/2020 – 4/16/2020 (dates of service).   Medical providers may bill established-patient evaluation and management codes 99211, 99212 and 99213 for telephone consultations.   Psychologists and behavioral health professionals should bill 90832, 90834, 90837, 90846, 90847 and H2011. A dental provider should bill D0140.  Place of service code 02 (zero two) for telehealth and modifier CR are required.  Verbal consent must be obtained and documented in the medical record.  These visits will count against the patient’s office visit limit of 14 visits per year.

United Health Care is waiving originating site restrictions for their commercial, Medicare Advantage, and Medicaid plans.  The patient may be at home or at another location.  All the other requirements for telehealth must be met – real-time audio and video communication system required. These include the place of service 02 and the GQ (asynchronous telecommunications system) or GT (interactive audio and video telecommunication system) modifier.  This waiver is only in effect until April 30, 2020.

Medicare

Fee-For-Service Medicare DOES NOT allow telephone calls to be billed as telehealth.  The PHE waiver provides three specific exceptions to the existing telehealth regulations:

  1. the patient can be in their home or other location – they do not have to be in a healthcare facility in a HPSA.
  2. the audio-video link can be something as simple as Skype or FaceTime or Facebook Messenger video calls – but it has to be a real-time audio AND video one-to-one connection, not something public-facing
  3. costshare can be waived – it is not automatically, but it can be waived at the providers’ discretion.

CMS also stated that they will not audit to verify that there is an established patient relationship.  Services are limited to the list of telehealth services at:  https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-Codes

This does include office visits, consultations, Transitional Care Management, and Annual Wellness Visits.  Place of service is 02 (zero two) for telehealth.  No modifier is necessary unless you are billing from a CAH Method II hospital (GT) or you are treating the patient for an acute stroke (G0).  There is also a modifier for a telemedicine demonstration project in Alaska or Hawaii (GQ).

NOTE: Although CMS stated that no modifier is necessary, Palmetto GBA is requesting modifier CR be appended for tracking purposes.

For services that have a site of service differential, payment will be made at the facility rate.

CMS has not specified an end date for these exceptions, just that they will be allowed as long as the Public Health Emergency declaration is in effect.

If there is not a real-time audio-video connection, then you are limited to one of the following:

Virtual Check-In

  • G2012 – Brief communication technology-based service, e.g. virtual check-in, by a physician or other qualified health care professional who can report evaluation and management services, provided to an established patient, not originating from a related E/M service provided within the previous 7 days nor leading to an E/M service or procedure within the next 24 hours or soonest available appointment; 5-10 minutes of medical discussion
  • G2010 – Remote evaluation of recorded video and/or images submitted by an established patient (e.g., store and forward), including interpretation with follow-up with the patient within 24 business hours, not originating from a related E/M service provided within the previous 7 days nor leading to an E/M service or procedure within the next 24 hours or soonest available appointment

Please note the following restrictions:

  • Established patients only (same definition as for other E&M services)
  • Verbal consent required and must be documented in the patient’s medical record
  • No service-specific documentation requirements but medical necessity must be documented.
  • May only be billed by those providers who can perform and bill E&M services

To clarify – G2012 has been in effect since 1/1/2019 – it is supposed to be for an established patient, but CMS has said they will not audit for that requirement during this time.  It does not require the video link, so it is really the only option for phone calls.  It cannot be related to an office visit within the past 7 days, as that would be considered part of the work of the already-billed office visit.  And if the doctor tells the patient to come in at the first available appointment, it can’t be billed as it would be considered the pre-work for the upcoming office visit.  As it specifies 5-10 minutes of medical discussion, time should be documented.

For email or portal communication, we also have these codes, new for 2020:

  • #99421 – Online digital evaluation and management service, for an established patient, for up to 7 days, cumulative time during the 7 days; 5-10 minutes
  • #99422 – …11-20 minutes
  • #99423 – … 21 or more minutes

Please note the following restrictions:

  • Patient-initiated digital communications requiring a clinical decision that would otherwise be made during an office visit
  • Physician/Qualified Healthcare Professional (QHP) time only
  • Not billable if patient seen in person or through telehealth within 7 day period

For All Payers –

There have been questions on how to perform a visit by phone or audio-video without being able to examine the patient.  First of all, established patient visits require two of the three key components:  history, examination, and medical decision-making.  A visit can be billed based on history and medical decision-making.  However, some examination can be done without laying hands on the patient.  Observation can be done through video, and sometimes just through audio.  A physician can observe skin tone, abnormal movements, respiratory effort and many other exam elements without being able to necessarily touch the patient.  A complete Psychiatric exam can be accomplished through talking with the patient.

For example, the patient calls in with complaint of dysuria. The physician documents the complaint (Duration, Timing) and further asks questions about fever, nausea and vomiting (Constitutional and Gastrointestinal Review of Systems).  He also reviews the patient’s Past Medical History and Allergies.   Based on her previous history, he suspects that the patient has a urinary tract infection and orders an antibiotic.

A patient with asthma calls in with an exacerbation – the physician can actually hear the patient wheezing over the telephone – that would be documented as a problem-focused examination.

The key point is that the physician himself must have the conversation with the patient on the phone or through the audio-video link.  This may be something that a nurse may have handled previously, but now it must be performed by the physician to be billable. 

Posted in: Blue Cross Blue Shield of Alabama, CMS, Medicaid, Medicare, Members, Technology

Leave a Comment (0) →

You Can Help Improve Transparency in the Certified Health IT Market

You Can Help Improve Transparency in the Certified Health IT Market

Visit Open Forums in May to Inform a New Comparison Tool

Stop by to provide input at an upcoming open forum on the new EHR Reporting Program, which will provide publicly-available, no-cost, comparative information on certified health IT available on the market.

We are also providing a link for regional stakeholders to participate in the open forums virtually.  Please note that the open forums are scheduled for two hours, but feel free to drop-in when you’re available.

In the 21st Century Cures Act of 2016, Congress directed the US Department of Health and Human Services (HHS) to establish a new EHR Reporting Program, which the Office of the National Coordinator for Health IT (ONC) is currently developing. The goal of this program is to provide publicly-available, comparative information about certified health IT features related to security, usability, interoperability, conformance to certification testing, and other areas in order to improve the transparency of the market.

ONC has contracted with the Urban Institute and its subcontractor, HealthTech Solutions, to obtain stakeholder input on how to develop the EHR Reporting Program through public open forums across the country. Input from people like you will help determine:

  • What information should developers of certified health IT report? What information from users could be made available?
  • How that information is collected
  • How this information will be disseminated to the public (for example, would you prefer a product comparison website, data in a spreadsheet, or something else?)

Upcoming Open Forums

Public Health/AL Medicaid/AL Health Information Exchange
Monday, May 20, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/155156076

AL Primary Healthcare Assn (FQHC)/ Rural Health
Monday, May 20, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/432907928

AL Academy of Pediatrics/Primary Care
Monday, May 20, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/505593044

Health Systems/Hospitals
Tuesday, May 21, 2019
9 AM – 11 AM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/824124145

General Public Open Forum
Tuesday, May 21, 2019
1 PM – 3 PM CDT
Montgomery County Health Department
3060 Mobile Highway
Montgomery, AL 36108
https://healthtechsolutions.zoom.us/j/806771227

General Public Open Forum
Tuesday, May 21, 2019
5 PM – 7 PM CDT
Renaissance Montgomery Hotel & Spa
201 Tallapoosa St
Montgomery, AL 36104
https://healthtechsolutions.zoom.us/j/675043250

Can’t make any of these events? Watch for more events where stakeholders can make suggestions at: https://healthtechsolutions.com/EHR-reporting-program.

If you have any questions regarding the  Open Forum, please contact Pam Zemaitis of HealthTech Solutions at Pam.Zemaitis@HealthTechSolutions.com.

 

Posted in: Technology

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

HHS Proposes New Rules to Improve Interoperability of EHI

HHS Proposes New Rules to Improve Interoperability of EHI
Could new innovations in technology promote patient access and make no-cost health data exchange a reality for millions?

The U.S. Department of Health and Human Services (HHS) has proposed new rules to support seamless and secure access, exchange and use of electronic health information. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), would increase choice and competition while fostering innovation that promotes patient access to and control over their health information. The proposed ONC rule would require patient electronic access to this electronic health information (EHI) be made available at no cost.

“These proposed rules strive to bring the nation’s health care system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a health care system that pays for value rather than procedures, especially through empowering patients as consumers.”

CMS’ proposed changes to the health care delivery system support the MyHealthEData initiative and would increase the seamless flow of health information, reduce burden on patients and providers, and foster innovation by unleashing data for researchers and innovators. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. For the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.

In support of patient-centered health care, CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. By ensuring patients have easy access to their information, and that information follows them on their health care journey, we can reduce burden, and eliminate redundant procedures and testing thus giving clinicians the time to focus on improving care coordination and, ultimately, health outcomes.

“Today’s announcement builds on CMS’ efforts to create a more interoperable healthcare system, which improves patient access, seamless data exchange, and enhanced care coordination,” said CMS Administrator Seema Verma. “By requiring health insurers to share their information in an accessible, format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a health care future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information undermine efforts to improve interoperability. Making this information publicly available may incentivize providers and clinicians to refrain from such practices.

ONC’s proposed rule promotes secure and more immediate access to health information for patients and their health care providers and new tools allowing for more choice in care and treatment. Specifically, the proposed rule calls on the health care industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. It also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. The proposed rule helps ensure patients can electronically access their electronic health information at no cost. The proposed rule also asks for comments on pricing information that could be included as part of their EHI and would help the public see the prices they are paying for their health care.

“By supporting secure access of electronic health information and strongly discouraging information blocking, the proposed rule supports the bi-partisan 21st Century Cures Act. The rule would support patients accessing and sharing their electronic health information while giving them the tools to shop for and coordinate their own health care,” said Don Rucker, M.D., National Coordinator for Health IT. “We encourage everyone – patients, patient advocates, health care providers, health IT developers, health information networks, application innovators, and anyone else interested in the interoperability and transparency of health information – to share their comments on the proposed rule.”

Policies in the proposed CMS and ONC rules align to advance interoperability in several important ways. CMS proposes that entities must conform to the same advanced API standards as those proposed for certified health IT in the ONC proposed rule, as well as including an aligned set of content and vocabulary standards for clinical data classes through the United States Core Data for Interoperability standard (USCDI). Together, these proposed rules address both technical and health care industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Aligning these requirements for payers, health care providers, and health IT developers will help to drive an interoperable health IT infrastructure across systems, ensuring providers and patients have access to health data when and where it is needed.

For a fact sheet on the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/newsroom/fact-sheets/cms-advances-interoperability-patient-access-health-data-through-new-proposals

For fact sheets on the ONC proposed rule, please visit: https://healthit.gov/nprm

To receive more information about CMS’s interoperability efforts, sign-up for listserv notifications, here: https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12443

To view the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/Center/Special-Topic/Interoperability-Center.html

Posted in: Technology

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Are Your Electronic Devices Physically Secure?

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • Could additional physical security controls be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

Keep the Medical Association in Your Facebook News Feed

Keep the Medical Association in Your Facebook News Feed

Facebook changed its news feed algorithm to prioritize content from friends, family and groups so you are less likely to see public content from businesses, brands and news media now than before the first of the year. Facebook justified the change for “people’s well-being” and suggesting that businesses will have to work harder to get their members’ attention.

So, what can you do to keep the Medical Association in your Facebook news feed?

Desktop Computers

Go to the Medical Association Facebook page and make sure you have “liked” the page. Hover over “Following” and select “See first” from the drop-down menu.

 

Also switch “Events, Suggested Live Videos” to “On,” and you’re all set!

Phone and Tablet Users

On your smartphone or tablet, go to the Medical Association Facebook page and click “Like.”

Then select “Follow” or “Following;” click it and turn “Get Notifications” to the on position. Don’t forget to Like and Share our posts with your friends and family!

Posted in: Technology

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →