Current News

Posts Tagged data

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

Business Associate Agreements (“BAAs”) are a necessary tool for ensuring HIPAA compliance, and the negotiated terms of BAAs are becoming more and more important as we venture into an era of mass cyber attacks and related HIPAA breaches. Covered entities, such a physician practices, are required to enter into a BAA anytime they hire a third-party contractor to perform a service on the covered entity’s behalf if such contractor will require the use of and/or access to the covered entity’s protected health information (“PHI”) in order to perform such service. Examples of potential business associates include accountants, attorneys, billing companies, consultants, and marketing agencies.

Although BAAs contain a large amount of form, standard language, below are my top three provisions to address when negotiating a BAA:

  1. Indemnity. The indemnity provision concerns whether or not the business associate will be responsible for any costs the covered entity incurs as a result of the business associate’s actions. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, claim, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the business associate responsible for the incident responsible for the associated costs.
  2. Breach Reporting. Every BAA should address how quickly breaches of unsecured PHI, security incidents, and other improper uses and disclosures of patient information will be reported to the covered entity following the discovery by the business associate. I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with the covered entity to address the incident, and, with regard to a breach of unsecured PHI, who will be responsible for the costs of breach notification and who will provide the breach notification.
  3. De-identification of Data. De-identified data is not covered by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use that data for any purpose, including a purpose directly profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data, and either prohibit de-identification entirely or limit the permitted uses and/or disclosures of de-identified data by the business associate to specific purposes (e.g., data aggregation or research).

Although it did not make my top three, seeing as more and more states are developing and expanding breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA is becoming more important. For providers located in Alabama, Alabama should serve as your choice of law—the location where the patient was treated and the location of the generation of the medical information.

Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a preferred partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

Front Office Transformation – First Impressions

Front Office Transformation – First Impressions

I recently visited a specialty practice at a major health system. As I approached the registration desk, a posted sign directed me to a standing kiosk to sign in. The family member I accompanied to the appointment was unable to stand at the kiosk, so I provided the needed information and signed her in. Although it was a quick and seamless process, I was concerned because if I needed assistance, there were no employees to ask.

Many practices have implemented kiosk sign-ins and have someone to assist a patient with the process if needed. Practice administrators have made the decision to implement a kiosk to assure verification of the current insurance policy and to prompt the patient to pay any out-of-pocket expense before they see the doctor. Many of the kiosk solutions allow a pre-registration via email permitting the patient to populate data and upload information from their own device at their convenience.

Benefits of Kiosk Sign-in include:

  • reduction in the staffing at the front desk
  • decrease in patient wait time
  • and most impressively, the increase of time of service collections.

You may not be ready for a kiosk at your registration desk, but you should review key areas for process improvements to assure you are preparing your practice for success at the front line. The MGMA Connection magazine reported an increase in the patient out-of-pocket expense by 30 percent in the last two years. Previous reports had already noted significant increases in patient deductibles and co-pays outside of the office co-pay. Failure to educate your front office staff, evaluate workflows, review software for accurate verification of benefits, and the lack of consistent financial policies could cost you at the end of the revenue cycle, and hurt your practice in the long-run.

All this to say, first impressions are vital to a practice. A second experience I had is when I walked into a practice, the first thing I saw was each of the front desk staff members was on the phone and did not acknowledge the patients walking in until they hung up. They were scheduling tests, getting pre-certifications and poorly collecting information and money. The staff had so many tasks that they were unable to perform any of them well and with intention.

Focus your front office staff on key functions: greet the patient, collect data, verify data, and collect money. Setting goals and seeing improvement will engage your staff in the big picture and train your patients to expect quality and consistent service and furthermore, be willing to pay for it.

The changes in health care have caused us to focus on efficiency and high-quality services at a reduced cost. As administrators, physicians, and/or staff members, you rarely enter the office from the front door so you may fail to see your operations from the patient’s perspective. Understanding how patients view your practice can put your practice at the next level.

Paper registration is a hassle to update and likely skipped if the phones are ringing off the hook. Patient satisfaction is vital in any medical practice and patients are learning technology can enhance their experience. The primary goal of the front desk should always be to provide great customer service because it is easier to collect from a happy patient.

Once you assure education, define processes, and establish best practices for the front office, it is time to set goals. Track performance (such as co-pay collection rate), reward success, monitor compliance, and watch your practice grow!

 

Article contributed by Tammie Lunceford, Healthcare and Dental Consultant, Warren Averett Healthcare Consulting Group. Warren Averett is an official Gold Partner with the Medical Association.

 

Posted in: Management

Leave a Comment (0) →

NIH’s All of Us Research Program Kicks Off in Birmingham on May 6

NIH’s All of Us Research Program Kicks Off in Birmingham on May 6

Posted in: Health

Leave a Comment (0) →

What If No One Was On Call [at the Legislature]?

What If No One Was On Call [at the Legislature]?

2018 Recap of the Regular Session of the Alabama Legislature

In times of illness, injury and emergency, patients depend on their physicians. But what if no one was on call? Public health would be in jeopardy.  However, the same holds true for the Legislature. During the 2018 session alone, if the Medical Association had not been on call advocating for you and your patients, unnecessary and costly standards of care would have been written into law, lawsuit opportunities against physicians would have increased and poorly thought out “solutions” to the drug abuse epidemic ─ that could’ve made the problem worse ─ would have become law. Keep reading to find out more.

Moving Medicine Forward

The 2018 Legislative Session is over, but continued success in the legislative arena takes constant vigilance. Click here to download our 2018 Agenda.

If no one was on call…increased state funding for upgrading the Prescription Drug Monitoring Program (PDMP) would not have occurred. Working with the Governor’s Opioid Task Force, the Medical Association proposed increased funding for the PDMP, to allow it to be an effective tool for physicians. As a result, the Task Force made the request its number one recommendation to the Governor and the 2019 budget for the Alabama Department of Public Health (the PDMP administrator) has a $1 million increase for making a long-overdue upgrade to the user-friendliness of the drug database.

If no one was on call…legislation helping veterans at-risk for drug abuse get the care they need and also leverage technology to combat the drug abuse epidemic would not have occurred. Through enactment of SB 200, the prescription information of VA patients will be shared between the VA and non-VA physicians and pharmacists who are outside the VA system, the same kind of information sharing of prescription data that exists for almost all other patients. Passage of SB 200 also establishes a mechanism for vetting requests for release of completely de-identified PDMP information that can be used to spot drug abuse trends and help state officials better allocate resources in combatting this epidemic. The proposals that resulted in the drafting of SB 200 originated with a recommendation from the Governor’s Opioid Task Force, one the Medical Association supported.

If no one was on call…the concerns of physicians regarding the current state of affairs surrounding the Maintenance of Certification program would not have been heard. A formal recommendation from the Medical Association’s MOC Study Committee resulted in the enactment of SJR 62 by Senators Tim Melson, M.D., Larry Stutts, M.D., and the entire Alabama Senate. The resolution was signed by Gov. Kay Ivey. SJR 62 vocalizes Alabama physicians’ frustrations with MOC and urges the American Board of Medical Specialties to honor its commitment to help reduce the burden and cost of MOC. Pursuit of a legislative resolution was just one of several recommendations from the Association’s MOC Study Committee this year.

If no one was on call…the Board of Medical Scholarship Awards could have seen its funding reduced but instead, the program retained its funding level of $1.4 million for 2019. The BMSA grants medical school loans to medical students and accepts as payment for the loan that student’s locating to a rural area to practice medicine. The BMSA is a critical tool for recruiting medical students to commit to practice in rural areas. As well, the economic footprint of every physician is at least $1 million, which improves both community health and local economies.

If no one was on call…Medicaid cuts could have been severe, possibly reducing access for patients within an already fragile system in which less than 20 percent of Alabama physicians participate. The 2019 budget has sufficient funds available for Medicaid without scheduled cuts to physicians. However, increasing Medicaid reimbursements to Medicare levels could further increase access to care for Medicaid patients and remains a Medical Association priority.

Beating Back the Lawsuit Industry

While Alabama’s medical liability laws have fostered fairness in the courtroom and improved the legal climate, each year personal injury attorneys seek to undo parts of the very law that helps keep “jackpot justice” and frivolous suits in check.

If no one was on call…bill language that could have pulled physicians into new lawsuits targeting opioid drug makers and opioid wholesale drug distributors could have been included in the final version of the legislation, whose subject matter was originally limited to placing new criminal penalties on unlawful possession, distribution and trafficking of Fentanyl. After the liability language was added on the House floor, a committee of the House and Senate removed the new cause of action language that could have affected physicians. Additionally, an unsuccessful attempt was made to amend this same bill to give law enforcement the authority to determine what is the unlawful “prescribing” or “dispensing” of prescription drugs. The final bill that passed contained neither of these elements that would have been problematic for physicians.

If no one was on call…physicians and medical practices could have been forced to provide warranty and replacement coverage for “assistive medical devices.” As originally drafted in the bill, the term “assistive medical devices” was broadly defined to include any device that improves a person’s quality of life including those implanted, sold or furnished by physicians and medical practices like joint or cochlear implants, pacemakers, hearing aids, etc. However, the Medical Association successfully sought an amendment to remove physicians, their staff and medical practices from having any new warranty or assistive device replacement responsibility under the act, and the final version doesn’t expand liability on doctors.

If no one was on call…legislation granting nurse practitioners and nurse midwives new signature authority outside of a collaborative practice and for some items prohibited under federal law – thereby significantly expanding liability for collaborating physicians – could have become law. The Medical Association successfully sought to ensure that all new signature authority granted to CRNPs and CNMs was subject to an active collaborative agreement and all additional forms or authorizations granted were consistent with federal law, protecting collaborating physicians from new liability exposure. The final bill was favorably amended with this language.

If no one was on call…physicians could have been held legally responsible for others’ mistakes including individuals following or failing to follow DNR orders on minors. The language of the final bill does not expand liability for physicians.

Protecting Public Health and Access to Quality Care

Every session, various pieces of legislation aimed at improving the health of Alabamians are proposed. At the same time however, many bills are also introduced that endanger public health and safety, like those where the Legislature attempts to set standards for medical care, which force physicians and their staffs to adhere to non-medically established criteria, wasting health care dollars, wasting patients’ and physicians’ time and exposing physicians to new liability concerns.

If no one was on callcollaborative practice in Alabama between nurse practitioners, nurse midwives and physicians could have been abolished. The legislation did not pass. Read the joint statement on the bill from the Medical Association and allied medical specialties here. The bill may return next session.

If no one was on call…legislation to give law enforcement the authority to determine what is the unlawful “prescribing” or “dispensing” of controlled substances (and making violations a Class B Felony) could have become law. The Medical Association sought changes to the bill to require prosecutors to have to prove beyond a reasonable doubt that a physician knowingly or intentionally prescribed controlled substances for other than a legitimate medical purpose and outside the usual course of his or her professional practice, and also to ensure sufficient qualifications for expert witnesses. The sponsor however – arguing that expert witness testimony for prosecuting a physician should not be required – asked the bill not be passed and instead “indefinitely postponed it,” killing the bill for the 2018 session. The bill will return next session.

If no one was on callmarriage and family therapists could have been allowed unprecedented authority to diagnose and treat mental illnesses without restriction. The legislation would also have deleted numerous prohibitions in current law including prescribing drugs, using electroconvulsive therapy, admitting to a hospital and treating inpatients without medical supervision, among other things. The Medical Association offered a substitute bill that (1) ensures all diagnoses and treatment plans made by MFTs are within the MFT treatment context; (2) ensures MFTs cannot practice outside the boundaries of MFT services; (3) prohibits MFTs from practicing medicine; and, (4) ensures all the current prohibitions in state law regarding prescribing of drugs, electroconvulsive therapy and inpatient treatment remain intact. The final bill that is now law contains all of these elements.

If no one was on call…legislation creating a new state board with unprecedented authority over medical imaging could have passed. The legislation would have required x-ray operators, magnetic resonance technologists, nuclear medicine technologists, radiation therapists, radiographers and radiologist assistants to acquire a new license from a new state board, a board granted total control over the scope of practice for each licensee. Quality and access to care concerns abounded with this legislation that many saw as unnecessary. The legislation did not pass, but is likely to return next session.

If no one was on call…proposals to move the PDMP away from the Alabama Department of Public Health and instead under the authority of some other state agency or even to a private non-profit organization could have been successful. In working with the Governor’s Opioid Task Force, the Medical Association stressed the Health Department was the proper home for the PDMP and the Task Force did not recommend that the PDMP be moved elsewhere.

If no one was on call…legislation to place new requirements on and increase civil liability exposure on referring physicians under the Women’s Right to Know Act could have become law. The legislation aimed to provide a woman seeking an abortion with notice that she can change her mind at any time and be entitled to a full refund for not going through with the abortion. The Medical Association sought to fix a longstanding problem that places information-provision requirements on referring physicians under the Women’s Right to Know law. While the Association’s language was adopted, the bill failed to pass. The bill is expected to return next session.

If no one was on call…state law could have been changed to require mandatory PDMP checks on every prescription. Attempts to change this are expected in 2019.

If no one was on call…law enforcement could have been granted unfettered access to the prescriptions records of all Alabamians. Attempts to change this are expected in 2019.

Other Bills of Interest

Rural physician tax credits…legislation to increase rural physician tax credits and thereby increase access to care for rural Alabamians did not pass but will be reintroduced next session.

Infectious Disease Elimination…legislation to establish infectious disease elimination pilot programs to mitigate the spread of certain diseases failed to garner enough support to pass this session.

Data breach notification…relating to consumer protection, is known as the “data breach bill.” In the event of a data breach by a HIPAA-covered entity, as long as the entity follows HIPAA guidelines for data breaches and notifies the attorney general if the breach affects more than 1,000 people, the HIPAA-covered entity is exempt from any penalties. Now, only North Dakota lacks a “data breach” notification statute. The bill was signed by the Governor.

School-based vaccine program…a Senate Joint Resolution urging the State Department of Education and the Alabama Department of Public Health to encourage all schools to participate in a school-based vaccine program passed in 2018. The Medical Association, Alabama Academy of Pediatrics and Alabama Academy of Family Physicians issued a joint statement in opposition to the resolution.

While we remain committed to increasing vaccine rates in Alabama for the very reasons outlined in the “Whereases” of the resolution, we are very concerned about the potential disruption that a widespread school-based program could bring to local practices and the likelihood of detrimental effects of adolescents not visiting the doctor-their medical home–during the critical teen years,” the joint statement from the medical societies reads.

While Gov. Ivey did not sign the resolution, it was ratified under state law without her signature.

Workers comp…legislation to penalize an individual from obtaining workers comp benefits by fraudulent means was introduced this session. The Medical Association successfully sought an amendment to require notice to the physician of termination of a worker’s benefits and to ensure continued payment of claims submitted by a physician until that notice is received. The bill failed to see any action this session.

Genital mutilation…legislation criminalizing the genital mutilation of a minor female was introduced this session. The Medical Association successfully sought an amendment to exclude emergency situations and procedures. The bill died in the Senate during the last days of the session. It is expected to return next year.

If the Medical Association was not on call at the Legislature, countless bills expanding doctors’ liability, placing standards of care into state law, lowering the quality of care provided and diminishing the practice of medicine could have passed. At the same time, positive strides in public health – like new funding for a much-needed PDMP upgrade, better data-sharing with VA facilities and the resolution on MOC – would not have occurred. The Medical Association is Alabama physicians’ greatest resource in advocating for the practice of medicine and the patients they serve.

Questions? For more information contact Niko Corley at ncorley@alamedical.org

Posted in: Advocacy

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

Now Available: CMS Data Submission System for Clinicians in the Quality Payment Program

Now Available: CMS Data Submission System for Clinicians in the Quality Payment Program

CMS Launches New Data Submission System for Clinicians in the Quality Payment Program

On Tuesday, Jan. 2, the Centers for Medicare & Medicaid Services launched a new data submission system for clinicians participating in the Quality Payment Program. Clinicians can now submit all of their 2017 Merit-based Incentive Payment System data through one platform on the qpp.cms.gov website. Data can be submitted and updated anytime from Jan. 2, 2018, to March 31, 2018, with the exception of CMS Web Interface users who will have a different timeframe to report quality data from Jan. 22, 2018, to March 16, 2018. Clinicians are encouraged to log-in early to familiarize themselves with the system.

How to Login to the Quality Payment Program Data Submission System

To login and submit data, clinicians will use their Enterprise Identity Management (EIDM) credentials.

  • The EIDM account provides CMS customers with a single user identification they can use to access many CMS systems.
  • The system will connect each user with their practice Taxpayer Identification Number (TIN). Once connected, clinicians will be able to report data for the practice as a group, or for individual clinicians within the practice.
  • To learn about how to create an EIDM account, see this user guide.

Real-Time Scoring

As data is entered, clinicians will see real-time initial scoring within the MIPS performance categories. Data is automatically saved and clinician records are updated in real time. This means a clinician can begin a submission, leave without completing it, and then finish it at a later time without losing the information.

Payment Adjustment Calculations

Payment adjustments will be calculated based on the last submission or submission update that occurs before the submission period closes on March 31, 2018.

Determining Eligibility

There are two eligibility look-up tools available to confirm a clinician’s status in the Quality Payment Program. Clinicians who may be included in MIPS should check their National Provider Identifier in the MIPS Participation Status Tool, which will be updated with the most recent eligibility data, to confirm whether they are required to submit data under MIPS for 2017. For clinicians who know they are in a MIPS, APM or Advanced APM, CMS is working to improve the Qualifying APM Participant (QP) Look-up Tool to include eligibility information for Advanced APM and MIPS APM participants. We anticipate sharing this updated tool in January 2018.

For More Information

To learn more about the Quality Payment Program data submission system, please review this fact sheet or view any of the following training videos:

  1. Merit-based Incentive Payment System (MIPS) Data Submission
  2. Advancing Care Information (ACI) Data Submission for Alternative Payment Models (APMs)
  3. Data Submission via a Qualified Clinical Data Registry and Qualified Registry

Visit qpp.cms.gov to explore measures and activities and to review guidance on MIPS, APMs, what to report, and more.  

Go to the Quality Payment Program Resource Library on CMS.gov to review Quality Payment Program resources.

Questions?

Contact the Quality Payment Program at QPP@cms.hhs.gov or 1-866-288-8292 (TTY: 1-877-715-6222).

Posted in: CMS

Leave a Comment (0) →

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

A HIPAA Contingency Plan: Yes, It’s Boring. Yes, You Must Do It.

When was the last time you reviewed your entity’s Contingency Plan? If it has been awhile, or never, you need to get to work. In light of recent natural disasters and ransomware attacks, the necessity of thorough and documented contingency planning, to include backup and disaster recovery, has become a focus for health care entities.

Pursuant to the Health Insurance Portability and Accountability Act (HIPAA) health care entities are required to account for the confidentiality, integrity and accessibility of their electronic protected health information (ePHI). They must consider potential incidents that may affect their information systems like fires, vandalism, malware attacks and tornados. Then they must document their strategy for operation during those events.

Contingency planning should begin with a review of the entity’s Risk Analysis. This document identifies what type of ePHI the entity accesses or maintains, where the data resides, and how the entity handles the data. Afterwards, the entity should begin the process of developing specific Administrative Safeguards.

A Data Backup Plan is essential, especially in instances of malware and natural disasters. Entities must put procedures in place to create and maintain exact copy backups of their data that they can readily retrieve. For example, if an entity is heavily damaged by a tornado or fire, they must be able to gain access to the data that they previously utilized within their entity. Without the benefit of timely system backups, the entity would not be able to recover up-to-date data which can be a serious liability when treatment decisions are being made about patients/clients without the benefit of their most current records.

The entity should ensure that there is an appropriate off-site backup of the entity’s ePHI and that the backup is being appropriately performed. These exact copy backups generally occur on a daily, weekly and monthly basis. The entity should maintain copies of these backups and should test the system periodically to ensure that the backup process is working in accordance with the required standards.

The ability to recover lost or stolen data can be critical. The entity should ensure that they have an effective Disaster Recovery Plan that complies with the National Institute of Standards and Technology (NIST) specifications.[1] The Disaster Recovery Plan should identify risks observed in the Risk Analysis and reflect a comprehensive plan to recover ePHI within specific time parameters, generally 24 to 48 hours. Additionally, careful consideration must be given to appropriate off-site locations that the entity could utilize if their primary location is no longer available. All workforce members should be informed of the plan and trained on their specific role.

An Emergency Mode Operations Plan documents the manner in which the entity will work throughout the course of the emergency. This relates to the critical business processes that must take place to protect ePHI during and following the emergency or disaster. Examples include determining the need for additional equipment or supplies, ensuring hardware and software compatibility to retrieve ePHI and if necessary, communicating changes to patients/clients.

Testing and Revision Procedures are required for the Data Backup, Disaster Recovery and Emergency Mode Operation Plans. These tests should occur within the timelines listed in the entities Risk Analysis and in all instances no less than annually. The testing process should be documented and evaluated to determine any need for revision.

Entities should perform an Application and Data Criticality Analysis to identify the information systems that are most important from a business operations perspective. This allows the entity to prioritize which databases need to be restored and in what order. For example, if a health care provider were the victim of a ransomware attack and they were attempting to recover the data, the Application and Data Criticality Analysis would identify the exact systems that are most crucial to their operations, allowing them to more easily prioritize the recovery process.

What does a compliance professional look for when auditing an entity for compliance with contingency planning? Entities should be able to produce the following:

  • A documented Contingency Plan which covers each of the specifications listed above, namely Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operations Plan, Testing and Revision Procedures and Application and Data Criticality Analysis;
  • Documented roles and responsibilities of workforce members during disasters or emergencies;
  • Documentation that identifies the entities critical applications;
  • Documentation to demonstrate the plan is periodically reviewed and tested; and
  • Documentation that reflects whether amendments to the Contingency Plan or Risk Analysis were warranted and implemented, if applicable.

While contingency planning is important for appropriate business operations and HIPAA compliance, it is also critical to patient care. Patients count on health care providers to provide appropriate treatment and care during normal periods and during emergencies. If an emergency or disaster renders an entity without access to their ePHI with no plan to recover or otherwise gain access to the data, that creates unnecessary liability on behalf of the provider for treating the patient without access to their current records. Patient care should be paramount to the mission of all health care entities.

[1] Although only federal agencies are required to follow NIST standards, they represent industry standards for how health care entities should handle ePHI.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →

Is Your HIPAA Contingency Plan Adequate?

Is Your HIPAA Contingency Plan Adequate?

Your response to this question may include one of the following answers:

  1. What in the world is a Contingency Plan?
  2. I think we did that, but I’m not sure where it is.
  3. I know we did one a while back, but we haven’t looked at it in a while.

If any of these responses sound familiar, you will want to get to work. FAST!

HIPAA covered entities are required to protect the integrity, confidentiality and availability of electronic protected health information (ePHI).  In accordance with §164.308(a)(7) of the HIPAA regulations, covered entities are required to develop and maintain a Contingency Plan.  Specifically, covered entities are required to “establish (and implement as needed) policies and procedures for responding to an emergency or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.” The purpose of this requirement is to ensure that entities are able to properly recover or access the accurate health information of their patients and clients during emergencies.

Entities must fulfill this requirement by satisfying “required” and “addressable” standards. Required specifications must be implemented while addressable specifications allow an entity to have more flexibility with regard to how they develop and implement the specification.

A Contingency Plan should include the following:

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Data Backup Plan

Entities must have internal controls as well as a working relationship with vendors of their information systems to ensure that the entity has the ability to do an up-to-date exact copy backup of its ePHI. The entity should have mechanisms in place to ensure that the backup is performed properly. This backup process must be periodically tested to ensure the integrity of the ePHI.

Data Recovery Plan

A Data Recovery Plan for use in disasters and emergencies must be developed.  Entities should review the HIPAA Risk Analysis to consider foreseeable threats. The Data Recovery Plan should reasonably mitigate any identified threats. In many instances, the entity needs to ensure that the Data Recovery Plan allows workforce members to access ePHI no later than 24 hours after a disaster occurs or a time deemed reasonable by the entity. Employees and staff must be educated with regard to their responsibilities in instances of emergencies when data recovery is warranted.

Emergency Operations Plan

An Emergency Operations Plan must be developed and documented. Entities should solicit the assistance of vendors of information systems that house the entity’s ePHI to devise a plan for how the entity should function during emergencies. This coordination shall include identifying alternate sites for work operations. The Emergency Operations Plan should be tested periodically during increments established by the entities risk management policy.

Testing and Revision Procedures

The Contingency Plan should be assessed and the entity should identify the need for any revisions. This testing should occur at least annually. This process, as well as any revisions that occur as a result of testing, should be documented. Testing shall include, but is not limited to, the disaster recovery plan, data backup plan and emergency operations plan.

Applications and Data Criticality Analysis

The entity must develop and amend their Risk Analysis, as necessary. As threats or vulnerabilities are identified in the Risk Analysis, the entity must work to resolve identified risks. The entity must ensure that contingency plans are included in the Risk Analysis and that vulnerabilities are appropriately addressed.

Where Should You Start?

  1. Develop a risk management group to oversee this process, as well as other HIPAA-related policies and procedures.
  2. Determine where your ePHI is stored and utilized in your entity.
  3. Consider threats to your ePHI. (Ex.) fires, flooding, hurricanes, tornadoes
  4. Develop procedures for how your entity will respond to these threats.
  5. Test and evaluate the procedures.

Don’t Forget to Document

Some entities invest considerable time and resources considering how they will respond to disasters and emergencies. Often, they implement procedures that are communicated orally but they fail to document the procedures and fail to develop written policies. Always remember, “if it isn’t written down, it didn’t happen.” Entities must ensure that they memorialize their contingency planning efforts by implementing written policies and procedures.

The absence of a written HIPAA Contingency Plan is indicative of an entity that has 1) not undergone a HIPAA compliant Risk Analysis or 2) has undergone an inadequate HIPAA Risk Analysis. In either case, the entity’s lack of attention to such a critical process could be detrimental to the health of its patients and the entity itself.

To ensure that your entity is complying with federal regulations, please consult a health care compliance professional.

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com

Posted in: HIPAA

Leave a Comment (0) →