Posts Tagged HIPAA

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

What Are the Top Three Concerns When Negotiating Business Associate Agreements?

Business Associate Agreements (“BAAs”) are a necessary tool for ensuring HIPAA compliance, and the negotiated terms of BAAs are becoming more and more important as we venture into an era of mass cyber attacks and related HIPAA breaches. Covered entities, such a physician practices, are required to enter into a BAA anytime they hire a third-party contractor to perform a service on the covered entity’s behalf if such contractor will require the use of and/or access to the covered entity’s protected health information (“PHI”) in order to perform such service. Examples of potential business associates include accountants, attorneys, billing companies, consultants, and marketing agencies.

Although BAAs contain a large amount of form, standard language, below are my top three provisions to address when negotiating a BAA:

  1. Indemnity. The indemnity provision concerns whether or not the business associate will be responsible for any costs the covered entity incurs as a result of the business associate’s actions. If the business associate violates the terms of the BAA and/or HIPAA and such violation results in a fine, penalty, investigation, claim, etc. against the healthcare provider, the indemnity provision allows the healthcare provider to pursue the business associate and recoup such costs. It holds the business associate responsible for the incident responsible for the associated costs.
  2. Breach Reporting. Every BAA should address how quickly breaches of unsecured PHI, security incidents, and other improper uses and disclosures of patient information will be reported to the covered entity following the discovery by the business associate. I generally recommend no more than a 10-day notice period. The BAA should also specify what information will be provided in the notice, how the business associate will work with the covered entity to address the incident, and, with regard to a breach of unsecured PHI, who will be responsible for the costs of breach notification and who will provide the breach notification.
  3. De-identification of Data. De-identified data is not covered by HIPAA. Thus, if business associates are allowed to de-identify the patient data provided by a healthcare provider, they can use that data for any purpose, including a purpose directly profiting the business associate. For that reason, many healthcare providers disfavor allowing their business associates to de-identify patient data, and either prohibit de-identification entirely or limit the permitted uses and/or disclosures of de-identified data by the business associate to specific purposes (e.g., data aggregation or research).

Although it did not make my top three, seeing as more and more states are developing and expanding breach notification requirements and the obligations surrounding the privacy and security of patient information, the choice of law provision in a BAA is becoming more important. For providers located in Alabama, Alabama should serve as your choice of law—the location where the patient was treated and the location of the generation of the medical information.

Kelli Fleming is a Partner with Burr & Forman LLP and practices exclusively in the firm’s Health Care Industry Group. Burr & Forman LLP is a preferred partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

The Delivery and Confidentiality Challenges in Rural Health Care Explained

The Delivery and Confidentiality Challenges in Rural Health Care Explained

Medical practices in rural settings face a host of concerns, such as how emergency protocols may differ from urban areas, difficulty in finding nurses (according to a recent Friday Letter from the Alabama Hospital Association, registered nurses are the third most in-demand jobs), and difficulty in finding appropriate training for staff.

In small towns/rural settings, where “everyone knows everyone,” confidentiality is also at the forefront, especially where patients are known by staff members.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires employees to be trained so they understand privacy procedures. According to the “Questions and Answers” section of the U.S. Department of Health & Human Services website, http://answers.hhs.gov, “the training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.” For more information, please visit the Department of Health and Human Services’ website at https://www.hhs.gov/.

Below are some tips to lessen your risk recommended by risk management experts:

Confidentiality

Written policies and procedures will help reduce the risk of a breach in patient confidentiality. To help preserve patient confidentiality, it’s important for all staff members to:

  • Never discuss cases or patients where conversations may be overheard.
  • Never leave case files, consulting reports, or any other written material regarding patients in areas where other people may inadvertently see them.
  • Only allow medical records to leave the facility when absolutely necessary.
  • Keep all patient information confidential.
  • Sign a confidentiality statement as a condition of employment and annually at the time of their performance evaluations.

In general, the HIPAA Privacy Rule (“Rule”) prevents physicians and other health care providers from using or disclosing any protected health information unless they have obtained permission from the patient or the Rule allows disclosure without the patient’s permission. HIPAA rules are voluminous, complex and can be revised yearly; it’s prudent for practices to consult their corporate attorney to help ensure HIPAA
compliance. The following is a very brief overview of HIPAA with regard to the release of patient information.

Patient authorizations grant permission to release patient health information. To be considered valid, an authorization must be in plain language and include the following elements:

  • a description of the information to be released;
  • the name of the person or organization authorized to release the information (e.g., Dr. John Smith, Smallville Cardiology Clinic);
  • the name of the person or organization to receive the information (e.g., the patient’s attorney, the patient’s employer);
  • the purpose of the disclosure* (e.g., “at the request of the patient” is sufficient when the patient initiates the authorization);
  • the expiration date or event (e.g., “end of the research study,” or “at the conclusion of the subject litigation” is sufficient);
  • a statement of the patient’s right to revoke the authorization in writing;
  • a description of how the patient may revoke the authorization and exceptions to the right to revoke;
  • a statement that the physician may not condition treatment on whether the patient signs the authorization;
  • a statement acknowledging the information may be re-disclosed by the recipient and no longer protected by the Rule;
  • a signature by the patient and the date; and
  • if the authorization is signed by a personal representative, a description of the representative’s authority to act for the patient.

Patients can revoke authorizations at any time except when they have already been acted upon. Authorizations must be maintained for at least six years.

*This may be prohibited by state statute.

Access to Protected Health Information

With a few exceptions, HIPAA gives patients the right to inspect and make a copy of information maintained in their record. Practices must act on a patient’s request for access within 30 days of the request (60 days if the records are kept off-site).

A reasonable, cost-based fee is allowed for copy requests. This fee may only include the costs of copying (supplies and labor) and postage. Many states have rules limiting the amount a practice may charge for copying a medical record. Be sure to review Alabama’s state rules regularly as some are adjusted annually.

When an attorney makes a request for records, have the physician review the request and the patient’s records so that he or she can take the appropriate action and notify his or her ProAssurance Claims Specialist. It is prudent to establish a screening process to help ensure the physician is notified of requests for records from attorneys.

Resources

The United States Department of Health and Human Services Office for Civil Rights enforces HIPAA. Its website provides helpful HIPAA compliance information and a“frequently asked questions” page on HIPAA Privacy regulations. Access the website at hhs.gov/ocr/privacy.

State Patient Confidentiality Laws

HIPAA preempts state laws that are less stringent than HIPAA, but states may enact laws that are more stringent than HIPAA. Consult your corporate attorney to ensure compliance with HIPAA and any applicable state patient confidentiality laws.

Physicians insured by ProAssurance may contact our Risk Resource department for prompt answers to risk management questions by calling (844) 223-9648 or via e-mail at RiskAdvisor@ProAssurance.com.

Posted in: Management

Leave a Comment (0) →

Can We Overhaul Our ‘Broken’ Health Data System?

Can We Overhaul Our ‘Broken’ Health Data System?

COLUMBUS, Ohio – Our system for protecting health data in the United States is fundamentally broken, and we need a national effort to rethink how we safeguard this information, according to three experts in data privacy.

“Data scandals are occurring on a regular basis, with no end in sight,” said Efthimios Parasidis, a co-author of the NEJM article and a professor at the Ohio State University’s Moritz College of Law and College of Public Health. “Data privacy laws for health information don’t go far enough to protect individuals. We must rethink the ethical principles underlying collection and use of health data to help frame amendments to the law.”

Parasidis wrote the article with Elizabeth Pike, Director of Privacy Policy in the Office of the Chief Information Officer at the U.S. Department of Health and Human Services; and Deven McGraw, chief regulatory office at Citizen, a company that helps people collect, organize and share their medical records digitally. Previously, McGraw was Deputy Director for Health Information Privacy at the Office of Civil Rights in the U.S. Department for Health and Human Services, and Acting Chief Privacy Officer at the Office of the National Coordinator for Health Information Technology.

Parasidis said a process analogous to the Belmont Report would be a good blueprint to follow today. The Belmont Report is one of the leading works concerning ethics and health care research. Its primary purpose is to protect subjects and participants in clinical trials or research studies. This report consists of three principles: beneficence, justice, and respect for persons.

The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research produced the 1979 Belmont Report, which resulted in Congress passing laws to protect people who participated in medical research.

“Indignities in human subjects research compelled the government to create a commission to propose ethical guidelines for new laws. We are experiencing a rerun of what was happening then, with the scandals involving use of health data now rather than the use of human subjects,” Parasidis said. “We need an equivalent response.”

Currently, the Health Insurance Portability and Accountability Act (HIPAA) is the main law protecting the data of patients. But it doesn’t apply to many of the new companies and products that regularly store and handle customer health information, including social media platforms, health and wellness apps, smartphones, credit card companies and other devices and companies.

“All of this data held by digital health companies raises a lot of ethical concerns about how it is being used,” Parasidis said.

For example, some life insurers are offering contracts that have policyholders wear products that continuously monitor their health, and the information can be used to increase a customer’s premiums.

Most regulations require only that consumers be notified about how their information is used and give their consent.

“That system doesn’t work. Very few people read the notice and most people just click agree without knowing what they’re agreeing to,” he said.

So how can health data privacy be fixed?

One idea would be to establish data ethics review boards, which would review projects in which health data are collected, analyzed, shared or sold, according to the authors of the NEJM article.

Parasidis said such boards could function as safeguards required in both public and private settings, from university medical centers to private life insurance companies.

These boards could consider the benefits and risks of the proposed data use and consider policies governing data access, privacy and security. Members could include project developers, data analysts and ethicists, as well as people whose data would be collected.

“Right now, everything is about compliance. Companies and institutions check the boxes, fill out the forms and don’t really think about whether they’re doing the right thing,” Parasidis said.

“Deliberations about use of health data should take the ethical obligations to individuals and society into account. The law should mandate that this occurs.”

Posted in: Health

Leave a Comment (0) →

How Are HIPAA Breaches Impacting Alabama?

How Are HIPAA Breaches Impacting Alabama?

HIPAA enforcement reached an all-time high in 2018, with financial settlements ranging from $100,000 to $16,000,000.  The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for providing oversight and ensuring HIPAA compliance. Last year alone, OCR resolved a total of 25,089 complaints of HIPAA violations and required at least 632 entities to adhere to Corrective Action Plans which document how those entities will attain and maintain compliance with all applicable components of the HIPAA regulations. While last year’s numbers set records and gained significant attention, those numbers are only expected to increase.

As compliance professionals and media outlets focus on the latest hacking incident or security breach, some may wonder how breaches of health care data are impacting the great state of Alabama. While Alabama has a population of fewer than 5 million people, it is no stranger to OCR investigations.  In fact, a look back at the last 15 years of OCR HIPAA enforcement data reflects that the same vulnerabilities that plague states with much larger populations align with issues that burden Alabama covered entities, as well.  Alabama, Florida, Minnesota, New Jersey and Ohio are identical with regard to OCR complaint resolution percentages. In these states, OCR concluded that 28% of the complaints received required corrective action on behalf of the HIPAA covered entity. Only 6 percent of complaints in these states were determined not to be violations and 66 percent of complaints were resolved after the intake and review process.

Several breaches impacting the PHI of 500+ individuals have been reported within the state of Alabama. The most recent was the 2018 breach of FastHealth Corporation, a HIPAA Business Associate which contracted with covered entities to perform website and operational services. An unauthorized third party accessed FastHealth’s web server and acquired information from their databases, impacting 1,345 Alabamians. This breach followed a previous breach by the same organization occurring in June 2017 that likewise involved their network server and affected 9,289 individuals.

While large breaches generally receive the most publicity and attention, smaller breaches can be equally as devastating. For instance, breaches involving mental health or communicable disease information can be harmful to the patient whose information was breached, even if it is just one individual. Pursuant to state statutes, breaching this type of information can open an entity up to civil liability, even if numerous individuals are not affected.

Alabama Breach Notification Statute – A Wake-Up Call  

When Alabama passed the Alabama Data Breach Notification Act of 2018, many health care providers were pleased to note that there was a specific exemption for entities that were required to adhere to HIPAA. However, a careful review of the exemption language is warranted. Pursuant to Section 11, an entity that is subject to HIPAA regulations and complies with those standards are exempt so long as they do the following:

  1. Maintain procedures pursuant to those laws, rules, regulations, procedures, or guidance.
  2. Provide notice to affected individuals pursuant to those laws, rules, regulations, procedures, or guidance.
  3. Timely provide a copy of the notice to the Attorney General when the number of individuals the entity notified exceeds 1,000.

Thus, to be exempt from the Alabama statute, HIPAA covered entities must do more than simply assert exemption status due to HIPAA regulations.  The entity must also demonstrate that it is in compliance with HIPAA.

New Day for Breach Notification Rule Adherence

According to Linda Sanches, Senior Advisor for HIT & Privacy at OCR, it is going to be tougher for entities to conceal breaches. It has come to the attention of OCR that there are HIPAA covered entities who do not report their breaches and have found success staying “under the radar of HIPAA enforcement.” However, Ms. Sanchez announced at the 2019 Health Care Compliance Conference that OCR was not only considering more severe action against entities that did not follow the regulations but that in the future OCR would be observing news reports, interviewing past and disgruntled employees and placing more resources towards seeking out entities that disregarded the regulations.

Alabama covered entities face the same federal regulatory authority as any other state, regardless of size, population or economy.  Thus, it is important for health care providers to understand the requirements and ensure that their entity and their workforce is aware of the regulations and how those regulation impact their organization. The most recent national trends on the location and type of breaches from 2018 can be reviewed in the charts below.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

HHS Lowers Annual Limits of Penalties for HIPAA Violations

HHS Lowers Annual Limits of Penalties for HIPAA Violations

Published in the Federal Register on April 30, 2019, the Department of Health and Human Services (“HHS“) issued a notification to inform the public that HHS is exercising its discretion in how it applies regulations concerning the assessment of civil money penalties (“CMPs“) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA“), as such provision was amended by the Health Information Technology for Economic Clinical Health Act (the “HITECH Act“).

In February 2009, Congress enacted the HITECH Act which, among other things, strengthened HIPAA enforcement by increasing minimum and maximum potential CMPs for HIPAA violations. Section 13410(d) of the HITECH Act established four categories for HIPAA violations, with increasing penalty tiers based on the level of culpability associated with the violation:

  1. the person did not know (and, by exercising reasonable diligence, would not have known) that the person violated the provision;
  2. the violation was due to reasonable cause, and not willful neglect;
  3. the violation was due to willful neglect that is timely corrected; and
  4. the violation was due to willful neglect that is not timely corrected.

Although the HITECH Act set forth different annual penalty caps for each tier (for all violations of an identical requirement or prohibition in a single year), HHS determined that the language of the penalty provisions was conflicting and allegedly referenced two levels of penalties for three of the four tiers. As a result, HHS concluded that the most logical reading of the law was to apply the highest annual cap of $1.5 million to each tier of violation and that such interpretation was consistent with Congress’ intent to strengthen enforcement.

On January 25, 2013, HHS adopted a final rule that applied the annual limit of $1.5 million to all tiers of violation types, as shown in the chart below:

Upon further review by the HHS Office of the General Counsel, HHS has now determined that the better reading of the HITECH Act is to apply annual limits as shown in the chart below:

HHS is expected to engage in future rulemaking to revise the penalty tiers to better reflect the text of the HITECH Act. Until further notice, HHS stated that it will use the new tier structure shown in the chart immediately above, as adjusted for inflation.

Article contributed by Anthony Romano, a partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is an official partner with the Medical Association. 

Posted in: HIPAA

Leave a Comment (0) →

How Can You Ensure Your Email is Safe and HIPAA Compliant?

How Can You Ensure Your Email is Safe and HIPAA Compliant?

Using free email providers like Gmail, Yahoo, and MSN are expedient and easy to set up. It’s the reason why some healthcare providers rely on them. While you could stretch to make the argument that these email services can be configured to be “HIPAA capable,” none in the eyes of security experts are HIPAA compliant. And not complying with the safeguards required by HIPAA law can lead to unnecessary violations and costly fines.

What Makes Email Vulnerable?

We all send countless emails every day without thinking about it. But from a technological and safety perspective, there are several links in the chain, which make email vulnerable to malicious interference. Once an email is sent it moves from your workstation to your email server…then onto your recipient’s email server…from there your recipient’s workstation pulls the message from their server. Along the way, there’s a copy of the email stored on each workstation and server.

To satisfy HIPAA requirements, protected health information must be secure both at rest and in transit. This entails having your email messages protected while resting on workstations and servers, but also being secure until they reach the intended recipient’s inbox. There are paid services, like Google’s G Suite, that claim to be HIPAA compliant, but they don’t encrypt your email all the way to the recipient’s inbox. If your email is not secure while in transit, it is susceptible to theft.

The Business Associate Aspect

A big issue with using free email providers is the lack of business associate agreements. As a responsible health care provider, you must have signed agreements with any third-party vendor that handles your protected health information. This means your email and file sharing service needs to sign a business associate agreement in order for them to be HIPAA compliant. Unfortunately, this isn’t possible with free email providers and taking a chance on using one could have costly and disastrous consequences.

Phoenix Cardiac Surgery found this out the hard way in 2012. That’s when they were forced to pay the Department of Health and Human Services $100,000 for HIPAA violations. One of the company’s abuses— as uncovered by the Office for Civil Rights’ investigation—was transmitting electronically protected health information to its employees’ private email accounts using an internet-based email service and posting sensitive data on a publicly accessible, Internet-based calendar service. Phoenix Cardiac Surgery did not have a business associate agreement in place with these vendors, which is a violation of the HIPAA Security Rule.

The Best Way To Secure Your Email

At PCIHIPAA, we offer an email add-on that encrypts your emails and integrates with Outlook, Gmail, and other popular email providers. It’s easy to use, as it allows you to send messages as you normally would. Your recipients are able to view your messages without any software on any browser. With our HIPAA-compliant email solution, you can track and verify that your email has been received by the intended patient. We utilize military-grade end-to-end encryption which ensures that cybercriminals aren’t able to intercept your sensitive data and disrupt your business.

We’ve all heard horror stories about protected health information being compromised via email. It’s simply not worth risking HIPAA violations and fines to use an unsecured email provider.

Call us today at 800-588-0254 and let us know you’re a Medical Association of the State of Alabama member to find out how we can set up an email solution that gives your practice peace of mind and 100% assurance of being HIPAA compliant.

Posted in: HIPAA

Leave a Comment (0) →

The Painful Reality of Ransomware and How to Protect Against It

The Painful Reality of Ransomware and How to Protect Against It

Imagine if in a split second you were unable to access all of your patients’ health care records. A cruel ransomware attack had locked you out of your computer system, and in order to regain your precious data you needed to pay a cybercriminal’s demand in bitcoin.

Unfortunately by the time you finish reading this article several businesses in the U.S. will experience this dreadful reality. Most commonly the disaster will occur when an infected email attachment is opened and spreads through a network.

Health care providers have a significantly higher risk of being targeted by ransomware. The reason for this is simple: you possess a large amount of data that is valuable to cybercriminals. In addition, hackers know you need to access medical records, digital x-rays, and test results to provide medical services to your patients. This, they hope, will motivate you to meet their demands to get your protected health information back.

A sudden disruption to a business proves to be a strong impetus. Nearly three-quarters of businesses infected by ransomware pay up to recover their data. Studies show, however, that less than half of them receive the necessary decryption key to unlock their data. The good news is there’s a simple, secure solution to avoid going through this painful scenario.

Ironclad Data Protection

Many practices don’t have the expertise, time or resources to deal with a ransomware attack. Many feel confident that their IT service provider has addressed security and backup needs in the event of a disaster. As a leading provider of HIPAA compliance software, we know several cases where a practice’s IT provider has not properly backed up their system. This can put you in the unenviable position of having to deal with unsavory cybercriminals. Here’s how our OfficeSafe software protects your data with the most secure online backup storage service available, and alleviates worries about a ransomware attack.

We provide a HIPAA compliant data backup solution with 256-bit encryption and SQL database restoration. This makes backing up and restoring your practice’s crucial data easy. In the event of a ransomware attack, you’ll have ten days of data backup, enabling your practice to easily find a clean data backup set. This is critically important. If your practice doesn’t have the capability to reinstate your data to multiple restore points in the past, you don’t have a sufficient disaster recovery solution.

OfficeSafe’s centralized management portal is designed for healthcare service providers and goes beyond file-and-folder backups, delivering a secure hybrid local and cloud solution. With our point-to-point encryption, you can use your existing email address to send messages via Gmail and other popular email client services. OfficeSafe also includes an emergency planning tool that helps members of your team expedite their response to unexpected situations.

The HIPAA Security Rule mandates that ransomware on your computer system or on that of a business associate must be reported to the government, as well as to the affected patients. If more than 500 records have been breached, you need to alert the media. The only caveat to this rule is if you can prove there’s a low probability that your protected health information has been compromised. Don’t let an unexpected incident cripple your business and tarnish your practice’s reputation.

Call us today at (800) 588-0254 or find out how we can work alongside your IT team to provide your business with full data protection in the event of a disaster.

Posted in: Technology

Leave a Comment (0) →

Think Your Practice Management Software Makes You HIPAA Compliant?

Think Your Practice Management Software Makes You HIPAA Compliant?

Complying with HIPAA security standards is a complex matter that demands a comprehensive solution. As a busy healthcare provider, it’s easy and convenient to trust that your practice management software satisfies the necessary HIPAA requirements to keep your electronic medical records safe. But the truth is, in most cases, it doesn’t.

A False Sense of Security

It is a common misnomer that electronic health record (EHR) systems make your practice HIPAA compliant. Companies claim they provide tools that support compliance for technical safeguards. A good thing, but technical safeguards are only one component needed to protect electronic public health information. The HIPAA Security Rule requires two other components: administrative safeguards and physical safeguards. Administrative safeguards include policies and procedures that HIPAA requires and critically important business associate agreements. Physical safeguards protect your data from breaches and unauthorized access. The platform you use to manage your practice might tout that their cloud-based system provides encryption and protection from ransomware. Great, but the question is: do they have all of the crucial aspects needed for HIPAA compliance? Read this next sentence twice. Using practice management software that purports to be HIPAA compliant does not make your practice compliant.

Unfortunately, when it comes to HIPAA compliance, a false sense of security can be dangerous. The violation fines for not following the guidelines enforced by the Department of Health and Human Services’ Office for Civil Rights are costly and can irreparably damage your practice’s reputation. In 2018 alone, HIPAA fines topped $28 million. By not properly protecting your electronic health records, you increase the likelihood of a cyberattack. Being hacked might strike you as a random, unlikely occurrence, but statistics tell a different story. According to a 2016 Lloyd’s Report, 92% of businesses experienced a data breach within a five-year period.

A Complete HIPAA Solution

PCIHIPAA is an industry leader in HIPAA compliance and data breach protection. We alleviate the angst and uncertainties associated with HIPAA compliancy with a powerful tool called OfficeSafe. Here’s how our software solution fully protects HIPAA electronic medical records:

  • Comprehensive Risk Assessment – A risk assessment is an annual audit required under the HIPAA Security Rule. Our audit of your practice’s protected health information produces a 22-page report, identifying the potential risks and vulnerabilities to your practice.
  • Easy Creation of Policies and Procedures – HIPAA regulatory standards mandate that covered entities and business associates develop policies and procedures. OfficeSafe makes regularly updating your policies and procedures easy, ensuring that your staff is informed on important issues such as governing access to electronic public health information and identifying malicious software attacks.
  • Online Employee Training – Improperly trained employees can lead to reckless handling of electronic public health information and costly HIPAA fines. We take this time-consuming task off of your plate and ensure that your staff understands exactly what is required by HIPAA law.
  • Crucial Business Associate Agreements – Every vendor and individual you share protected health information with must have a business associate agreement. OfficeSafe makes creating and securely executing these agreements simple and convenient.
  • $500,000 Cyber Insurance Coverage – Our guaranteed expense reimbursement policy for HIPAA violations covers a range of first and third party exposures, including both physical and non-physical risks. In the event of a HIPAA fine, data breach, or cyberattack, we’ll protect your practice from lost revenue and prevent an interruption to your business.
  • Email Encryption and Encrypted Cloud-Based Data Backup – At PCIHIPAA, keeping your data secure is our top priority. Our data backup solution is HIPAA compliant with 256-bit encryption and SQL database restoration capabilities. It enables you to distribute confidential protected health information without worry of ransomware or an unexpected incident.
  • Incident Response Management – Do you have a plan in place in the event of a hurricane, fire, or ransomware attack? Proper preparation—including a data backup plan, a data restoration plan, and an emergency mode operations plan—is a necessity. With OfficeSafe, once you report an incident we’ll work with your IT provider to mitigate the damage and get your business back on track.
  • PCI Certification – PCI is part of our company name for a good reason. As part of our compliance program, we help you complete the Payment Card Industry (PCI) requirements. Our PCI Compliance program also includes quarterly scans of your network.

The dark web is getting smarter. The risk of not fully and properly securing and maintain your patient’s medical records is a mistake your business can’t afford to make. The good news is peace of mind for your practice and your patients is a click away. Take a complimentary HIPAA Assessment right now, and be on your way toward total HIPAA compliance.

Posted in: HIPAA

Leave a Comment (0) →

Record Year for HIPAA Enforcement

Record Year for HIPAA Enforcement

In the current environment of regulation reduction, it is notable that the Department of Health and Human Services (HHS) received a record $28.6 million dollars in publicized settlements and judgments for HIPAA violations in 2018.  These numbers surpass previous years with the closest year on record being 2016 in which HHS collected $23.5 million dollars. These numbers reflect that HIPAA enforcement actions are on the rise.

There are several factors that are leading to this increase in fines:

  1. A lack of understanding about what encompasses an adequate HIPAA Risk Assessment;
  2. Failure to attain Business Associate Agreements when applicable;
  3. Failure to comply with physical, technical and administrative safeguards to secure protected health information (PHI); and
  4. Failure to implement encryption solutions or alternative adequate measures.

It is important to note that this record-setting total does not encompass all of the enforcement action taken by HHS against covered entities in 2018.  These numbers simply represent larger, more notable settlements and judgments.  In fact, HHS took corrective action against countless health care providers, health plans and business associates last year and it does not appear that these numbers will decrease in 2019.  As of February 22, 2019, HHS has officially begun investigating over 50 entities for large scale breaches.  For more information on these investigations of breaches of 500 individuals or more, visit the Wall of Shame on the HHS website. Pursuant to the HITECH Act of 2009, the Secretary of HHS is required to post information about entities who breach the PHI of 500 people or more to demonstrate transparency to health care consumers.

Health care providers can take action to reduce their risk by doing the following:

  1. Performing annual Risk Assessments;
  2. Identifying Business Associates and entering into adequate Business Associate Agreements;
  3. Creating and updating HIPAA policies and procedures;
  4. Ensuring that employees and staff members receive up-to-date training; and
  5. Proactive monitoring of electronic systems containing PHI.

This uptick in penalties illustrates that HHS is serious about their mandate to protect the privacy and security of PHI.  Their record demonstrates that they can be successful at attaining multi-million dollar settlements with health care entities and health plans that don’t comply with HIPAA regulations.  This is a good time for health care providers and HIPAA Business Associates to review their compliance programs to ensure that they are meeting the requirements. In HIPAA compliance, the lack of a specific strategy to secure PHI is an actionable failure that could result in a large fine and a loss of goodwill with the entity’s customers, its patients.  If you are unsure about whether your HIPAA compliance program is adequate or if you know that it is time to update your policies, procedures and training, consult a health care compliance expert.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Speak Up! HHS Wants to Hear from YOU!

Speak Up! HHS Wants to Hear from YOU!

The Department of Health and Human Services Office of Civil Rights wants to hear from health care providers, business associates and members of the public about how they can best modify HIPAA regulations. On Dec. 12, 2018, OCR issued a Request for Information, asking the public for comments on how the regulations can best facilitate continuity of care and decrease regulatory burdens.

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

They are looking for feedback in the following areas:

  • Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities.
  • Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual’s awareness of his or her rights.

Additionally, OCR is encouraging health care providers, business associates and members of the public to answer 54 questions that relate to their experiences working with health care data to determine which aspects of the regulations are necessary and which may be overly burdensome.

The RFI can be viewed by clicking on the following link: https://www.govinfo.gov/content/pkg/FR-2018-12-14/pdf/2018-27162.pdf

The deadline for comment is Feb. 12, 2019.  OCR has provided the following methods to submit comments:

  • Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS–OCR– 0945–AA00. Follow the instructions for sending comments.
  • Hand-Delivery or Regular, Express, or Overnight Mail: S. Department of Health and Human Services, Office for Civil Rights, Attention: RFI, RIN 0945– AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

Instructions: All submissions received must include ‘‘Department of Health and Human Services, Office for Civil Rights RIN 0945–AA00’’ for this RFI. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.

As a compliance professional, I will be submitting comments on areas that impact my clients on Feb. 8, 2019.  If you have questions or concerns, feel free to contact me, and I’ll be happy to discuss your concerns or include your inquiry in my comments. I can be reached toll-free at 1-888-959-9501 or at Samarria@dunsongroup.com.

Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala.  Attorney Dunson is also Of Counsel with the law firm of Balch & Bingham, LLP.  The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →
Page 1 of 4 1234