Posts Tagged compliance

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Is Your Corporate Compliance Plan Up-to-Date?

Is Your Corporate Compliance Plan Up-to-Date?

As 2019 kicks off, it is wise to review various aspects of your practice to ensure everything is up to date and continues to operate in compliance with applicable laws. One area of focus for such review is your corporate compliance plan.

Compliance plans are written policies and procedures, adopted by a health care provider, to assist in its day-to-day compliance with applicable laws and business policies. Health care providers who participate in a federal health care program are required to implement a corporate compliance plan.

A compliance plan that is drafted without further review, revision, or implementation carries the same effect as having no compliance plan at all. Thus, to be effective and beneficial, all compliance plans should be periodically reviewed and revised to address changes in the law, operational changes, and past experiences.

As you revise your corporate compliance plan consider the following:

  • The Office of Inspector General (“OIG”) has published guidance on effective compliance plans for many types of healthcare providers, including physician practices. While the OIG allows flexibility in developing a compliance plan, this guidance provides a good insight into the various areas and topics that might be included in an effective compliance plan. The OIG compliance plan guidance can be accessed at https://oig.hhs.gov/compliance/compliance-guidance/index.asp.
  • A main component of a corporate compliance plan is the written policies and procedures that set forth the day-to-day compliance expectations of the provider. Among other things, the policies should include a review of the applicable laws and regulations (g., Stark, Anti-Kickback, False Claims Act, Civil Monetary Penalties, etc.), what is expected in terms of complying with such laws, the consequences of noncompliance, and ways to report non-compliance.
  • Compliance plans should address the risks associated with a particular practice. Risk areas common to physician practices include coding and billing, medically necessary services, proper documentation, record retention, fraud and abuse concerns, and conflicts of interest.
  • Compliance plans should address monitoring and auditing processes that detect compliance violations and ways to respond to such violations. Among other things, there should be a mechanism for reporting compliance plan violations, investigating such reports, correcting compliance plan violations, and imposing disciplinary action.
  • An effective compliance plan should include a training component, pursuant to which employees and contractors are periodically educated and trained on the various elements of the plan. Training should occur both when an employee or contractor is hired and periodically thereafter (g., every year or every six months). Many providers have found monthly “reminders”, whether at a staff meeting or via e-mail distribution, to be effective.
  • The corporate compliance plan should be made available to all employees and contractors to which it applies. If your compliance plan is lengthy, you may want to consider also having a summary available that hits the main points of the plan.
  • Any revisions you make to the compliance plan as a result of your review should be formally adopted by the practice’s Board of Directors or similar Governing Body. Employees and contractors should be promptly updated on any revisions.

Kelli Fleming practices with Burr & Forman LLP and works exclusively within the firms Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association. 

Posted in: Legal Watch

Leave a Comment (0) →

ProAssurance and Sure Med Compliance Join to Fight Opioid Crisis

ProAssurance and Sure Med Compliance Join to Fight Opioid Crisis

BIRMINGHAM ─ ProAssurance Corporation has announced an exclusive affiliation with Sure Med Compliance® (SMC) to promote the use of SMC’s Care Continuity Program® (CCP) in an effort to help combat the opioid epidemic in the United States.

ProAssurance-insured physicians will be eligible for discounted access to Sure Med’s Care Continuity Program

The CCP helps physicians and other health care providers develop and maintain responsible prescribing practices for opioids and other scheduled medications by equipping them with tools to verify patients suitable for opioid therapy, identify with significant risk factors, and closely monitor the effects of treatment over time.

“As an industry leader, we are acutely aware of the devastating effects of the opioid epidemic in this country. We are concerned about the epidemic’s professional liability implications for physicians and other healthcare providers, as well as its broader effects on the healthcare system in general. We are proud to affiliate with Sure Med Compliance to offer our insureds exclusive discounted access to this cutting-edge approach to patient safety and effective treatment, ” said Howard H. Friedman, president of ProAssurance’s Healthcare Professional Liability Group.

John Bowman, Sure Med Compliance’s Chief Executive Officer, emphasized the importance of the newly formed affiliation.

“Our Care Continuity Program provides a proven path toward optimal outcomes for patients whose treatment requires the use of opioids and other potentially addictive drugs,” Bowman said. “In turn, CCP helps physicians avoid potential liability issues, which has always been a focus of ProAssurance and why we are so excited about this affiliation. We are confident their national footprint will help Sure Med Compliance reach more physicians and assist more patients than ever before.”

Through this affiliation, ProAssurance insureds who meet certain eligibility requirements will have access to an exclusive 30-day free trial of the CCP. ProAssurance insureds who elect to continue using the Care Continuity Program will receive exclusive discounted rates. ProAssurance insureds may contact Sure Med Compliance to determine eligibility and initiate a 30-day free trial by visiting www.suremedcompliance.com/proassurance or calling (866) 517-2771.

“As a practicing pain management specialist, I have experienced firsthand the challenges physicians face in deciding to prescribe controlled substances. Using the Sure Med Compliance CCP in my practice has helped me ensure proper documentation and address potential issues before they occur,” said Sure Med Compliance’s Medical Director David Herrick, M.D., of Montgomery. Dr. Herrick is a past president of the Medical Association of the State of Alabama and a former member of the Alabama Board of Medical Examiners.

ProAssurance’s Chief Medical Officer Hayes V. Whiteside, M.D., encouraged physicians with ProAssurance to learn more about the CCP.

“Our commitment to provide our insureds with exclusive discounted access to the Sure Med Compliance CCP underscores ProAssurance’s commitment to ensure physicians and other health care providers are equipped with the risk management tools and services necessary to deal with the ever-changing realities of their chosen profession,” Dr. Whiteside said. “All ProAssurance insureds who regularly prescribe opioids, especially those who prescribe for chronic pain, are encouraged to engage Sure Med Compliance to learn more about how their Care Continuity Program can help them develop and maintain safe and responsible prescribing practices, which should lead to better outcomes for their patients.”

Posted in: Opioid

Leave a Comment (0) →

What’s the Biggest Threat to Your Medical Practice? Your Staff!

What’s the Biggest Threat to Your Medical Practice? Your Staff!

Many of us are aware of recent attacks impacting health care entities large and small. As ransomware and other cybersecurity-related crimes are being reported daily, there is a tremendous focus on the “dark web” and how to decrease the likelihood your entity will be impacted by hackers. But as we put systems in place to deal with those security issues, we must not forget about the threat of other malicious actors. These individuals are not strangers who only interact with our computer systems remotely. This threat is much closer. We’re referring to your staff members who may inappropriately access and utilize patient data for personal gain.

Employers generally believe they hire the best candidates. In most instances that is correct. After combing over résumés and doing countless interviews, it is determined the selected individual is a person you can trust and respect. As these individuals prove themselves to be competent and dependable, many of us will place a high level of confidence not only in that person’s ability to perform the job, but also in their character.

As time passes we learn a lot about our colleagues. We learn about each other’s families, interests and life goals. We become invested in our co-workers, and we share in moments of success and disappointment. These events endear us to one another and become the fabric of our working relationships. However, just as this bonding is reflective of our human desire to find commonalities, these relationships can also blind us to a very serious threat. This threat is the impact that these very individuals can have on our entities if they intentionally or inadvertently compromise a patient’s protected health information (PHI). We must constantly remind ourselves good people can do bad things depending on that individual’s circumstances at the time they make a compromising decision.

“Insider threat” is a term used to describe the threat to an entity’s systems or data that originates from within the entity. These “insiders” can be current or former employees, contractors, or business associates who have or has had authorized access to an entity’s systems or data and misuse that access.

Red Flag Behavioral Indicators

When entities endure a significant data breach, they are often in disbelief the incident occurred. Then as they begin the investigation phase, they realize there were behaviors exhibited by the bad actor that should have drawn suspicion.

Here are some behaviors entities should be watchful of:1

  • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules which may result in them being able to carry out their illicit activities privately.
  • Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
  • Interest in matters outside the scope of their duties, particularly where patient data may be stored and how that information may be accessed.
  • Unexplained affluence; buys things they cannot afford on their household income.
  • Without need or authorization, takes proprietary or other material like patient information home, via paper records, thumb drives or by emailing information to their personal email accounts.
  • Overwhelmed by life crisis or career disappointments.
  • Paranoia about being investigated; believes there are listening devices or cameras in their homes or workplaces.
  • Disregarding computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

How to Reduce Your Risk

  • Appropriately manage your employees. Entities should pay particular attention to individuals who are disgruntled or who may be undergoing financial hardship. Also, be watchful of employees who show up to work very early or leave very late with no work product to show for the extra time they’ve worked. Additionally, background checks can be very telling. This is especially true for employees whose records identify financial issues like issuing bad checks.
  • Be mindful of security access privilege designations. Only provide employees with the security access privileges they need to perform their job functions. The less access they have to patient data that does not involve them, the less likely they will be able to create large data breaches.
  • Proactively audit user access. Perform audits of user actions to determine who has been remoting into your entity’s computer network or who has been accessing your systems after normal business hours. Review reports of failed log-in attempts to determine whether employees are trying to log into systems they have not been officially granted access to view.
  • Develop and adhere to effective termination procedures. Once you become aware an employee will need to be terminated, make plans to disable their physical and system access such that the terminated employee does not have the opportunity to negatively impact your entity or systems. During the exit interview, make it clear to the terminated employee your entity will not tolerate inappropriate data access and will seek criminal prosecution if it discovers any employees are engaging in such activity.
  • Effective training programs. Ensure your employees are aware of your entity’s privacy and security policies and procedures. Reiterate these principals in training and inform them of the consequences of not adhering to these requirements. Additionally, train employees to be particularly watchful of co-workers who exhibit the behavioral indicators described above. Ensure they know the warning signs and to whom to report their concerns.
  • All insiders are not necessarily in your building. Be mindful that Business Associates and contractors may also have access to your systems
    and data. The activities of these users should be monitored as well. Individuals within those entities should be signing confidentiality agreements at a minimum and Business Associate Agreements, when applicable.

 

Your entity’s designated Security Officer can play a key role in monitoring the electronic behavior of staff members, Business Associates and contractors. Ensure this individual is knowledgeable about your entity’s HIPAA security policies and procedures, and they are following up on audits that identify behaviors that may be placing your patient data at risk. If your entity does not have updated HIPAA security policies and procedures, consider hiring a health care compliance professional to ensure regulatory compliance.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.

References
1 “The Insider Threat”, U.S. Department of Justice Federal Bureau of Investigation; https://www.fbi.gov/file-repository/insider_threat_brochure.pdf
2 “Insider Threats: What every government agency should know and do,” Deloitte Dbriefs, March 2016.

Posted in: HIPAA

Leave a Comment (0) →

Do You Know How to Easily Avoid a HIPAA Penalty?

Do You Know How to Easily Avoid a HIPAA Penalty?

DID YOU KNOW…


Individuals cannot file a lawsuit for alleged HIPAA violations
but can file a legal action under many state laws?

In situations, such as data breaches, in which individuals’ personal information is compromised, individuals can pursue lawsuits seeking relief for damages.

 

 

*There is no obligation to purchase our services. Only an obligation to take the assessment and document your office’s key vulnerabilities.

 


 

“OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations.”

Roger Severino
Director, Office for Civil Rights

 

Free HIPAA Compliance Webinar

Protect your patient’s Protected health Information

Avoid HIPAA violations and penalties

Save yourself from the headaches of HIPAA compliance

 


 

Ruling Reaffirms Individuals Cannot File HIPAA Lawsuits

A federal court recently dismissed a case filed by a patient alleging a laboratory violated HIPAA by failing to shield from public view her personal health information displayed on a computer intake station.

The ruling reaffirmed a longstanding precedent that individuals cannot file a lawsuit, known as a “private cause of action,” for alleged HIPAA violations.

Privacy attorney Iliana Peters of the law firm Polsinelli points out, however, that individuals can file legal action under many state laws.

“It’s extremely important to note that although HIPAA does not have a private right of action, many state laws require entities, both healthcare entities and others, to implement HIPAA-like protections for consumer data, and have stiff penalties,” she says.

For alleged HIPAA violation cases, the Department of Health and Human Services Office for Civil Rights and state attorneys general are the only parties that can bring legal action, Golding notes.

Read More


 

Easily Avoid Penalties for HIPAA Violations

Protect your reputation, practice and patient’s information.

Avoid willful neglect and the associated HIPAA penalties by attending your no-obligation, 30-minute Risk Review after you complete your complimentary HIPAA Risk Assessment.

PCIHIPAA will review your HIPAA risk assessment and suggest HIPAA compliant policies and procedures.

 

As a member of the Medical Association of the State of Alabama, you will receive (with no further obligation):

 

  1. Complimentary 2018 HIPAA Risk Assessment
    Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection

 

 

If you have any questions, call PCIHIPAA at (800) 588-0254. Let them know you are a member of the Medical Association of the State of Alabama.

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

What is a Business Associate Agreement, and Why Should You Care?

What is a Business Associate Agreement, and Why Should You Care?

Health care providers are primarily concerned with the treatment and wellbeing of their patients. They gather and maintain tremendous amounts of protected health information[1]  (PHI) throughout the treatment process and commonly share that PHI with third parties who assist them with carrying out their work. This process of sharing PHI with a third party, non-workforce member, may create a business associate relationship. With the passage of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, medical practices are now required to identify business associate relationships and enter into Business Associate Agreements (BAAs). Failure to comply can led to heavy fines imposed by the Department of Health and Human Services.

A common challenge to compliance with this regulation is assessing whether an individual or entity falls within the definition of a Business Associate.  To make this determination, medical practices are required to identify third parties who create, receive, maintain, or transmit PHI on behalf of the covered entity, including subcontractors. After documenting this process, an appropriate BAA must be executed to govern the relationship and to protect any PHI.

BAAs are contracts that dictate how a Business Associate must use, disclose and safeguard PHI, as well as the covered entity’s responsibilities to the Business Associate. At a minimum, the BAA must include the following provisions:

  • Establish the permitted and required uses and disclosures of PHI by the Business Associate;
  • Provide that the Business Associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;
  • Require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic PHI;
  • Require the Business Associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured PHI;
  • Require the Business Associate to disclose PHI as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their PHI, as well as make available PHI for amendments (and incorporate any amendments, if required) and accountings;
  • To the extent the Business Associate is to carry out a covered entity’s obligation under the Privacy Rule, require the Business Associate to comply with the requirements applicable to the obligation;
  • Require the Business Associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of PHI received from, created, or received by the Business Associate on behalf of the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule;
  • At termination of the contract, if feasible, require the Business Associate to return or destroy all PHI received from, or created or received by the Business Associate on behalf of, the covered entity;
  • Require the Business Associate to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the Business Associate with respect to such information; and
  • Authorize termination of the contract by the covered entity if the Business Associate violates a material term of the contract. Contracts between Business Associates and their subcontractors are subject to these same requirements.[2] (DHHS, 2013)

Don’t Think This Applies to You? Think Again!

Business Associate relationships are voluminous in medical practices.  More often than not, the modern medical practice will have multiple relationships that require a BAA. A few examples may include:

  • Tech support for an Electronic Health Record (EHR)
  • Data storage services
  • Repair services for copiers with hard drives
  • Data destruction
  • Cloud hosting
  • CPA firms that provide accounting services
  • Independent medical transcription services
  • Claims processing

Business Associates May Face Penalties as Well

In June of 2016, Catholic Health Services of the Archdiocese of Philadelphia settled with HHS for $650,000 when it was discovered that they may have violated the HIPAA Security Rule. CHCS provided management and information technology services to the nursing home company creating a Business Associate relationship. HHS alleged that the theft of a CHCS iPhone without password protection compromised the PHI of numerous nursing home residents.

“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Medical practices should be eager to institute BAAs where appropriate as they shift liability to the Business Associate for the inappropriate conduct of the Business Associate. Medical practices should not allow any relationship with contractors to exist without first analyzing the need for a Business Associate Agreement. If not, the medical practice could be required to perform breach notification or pay litigation costs for the actions of the Business Associate. It is paramount that your medical practice attain BAAs when necessary and have a system in place to track them. A proper tracking system will notify you when BAAs expire. Additionally, a proper tracking system will ensure that nothing slips through the cracks.  Understand that if during an audit it is determined that your medical practice lacks the necessary BAAs, has expired BAAs or that they don’t have the required provisions, your entity could be fined for non-compliance with the HITECH Act.

It is important to note that there are a number of exceptions to the Business Associate Agreement requirement that may apply. Some exceptions include conduits, workforce members and janitors. To protect your practice, you should have a qualified professional perform a risk analysis to determine if a BAA is necessary and to fashion a BAA to the specific relationship.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

[1] PHI includes many common identifiers, like a patient’s name, date of birth, address, social security number, full-face photo or any other personal identifiers.

[2] Department of Health and Human Services. (2013) Business Associate Agreement Contracts. Retrieved from https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

Posted in: Liability

Leave a Comment (0) →