Posts Tagged HIPAA

Does Inflation Have an Impact on HIPAA Violations?

Does Inflation Have an Impact on HIPAA Violations?

Health care providers are generally aware that non-compliance with the Health Insurance Portability and Accountability Act can be costly.  In 2013, when the Department of Health and Human Services (HHS) initiated penalties pursuant to the HIPAA Final Omnibus Rule, the health care industry was abuzz about the impact that these civil monetary penalties could have on their entities if they did not comply with federal regulations. But many providers are not aware that those sanction amounts have increased due to inflation.

With bipartisan support, the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015 (yes, the wording is really that awkward) was passed to allow federal agencies to adjust their civil monetary penalties annually to keep up with inflation.  Congress reasoned that this increase would “improve the effectiveness of civil monetary penalties and maintain the deterrent effect of such penalties.”

So how does this Act impact HIPAA penalties in 2018?

The easiest way to demonstrate the gravity of these changes is to view the initial penalties issued in 2013 and compare it to the penalties available to HHS in 2018.  A cursory glance reflects the opportunity to impose steeper fines.

How can you keep up with the changes?

Readers of the Rotunda and Alabama Medicine will be regularly informed of changes to HIPAA civil monetary penalties by Dunson Group, LLC.  Additionally, federal agencies are required to publish their annual inflation adjustments in the Federal Register by January 15 of each year.  Information on specific HIPAA violations may be found under the Office of Civil Rights (OCR) category of the Electronic Code of Federal Regulations.

 

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

This is How HIPAA Compliance Can Save Your Practice in 30 Minutes…

This is How HIPAA Compliance Can Save Your Practice in 30 Minutes…

How You Can Save Your Practice in 30 Minutes

Avoid headaches and penalties from a U.S. Department of Health and Human Services investigation. Most HIPAA fines are neutralized by having a risk assessment and corrective action plan on file.

ASSESS YOUR VULNERABILITIES

 

Overlooking Risk Leads to Breach and $400,000 Settlement

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis.


 

Five Breaches Add Up to $3.5 Million in Settlement Costs for Entity that Failed to Heed HIPAA’s Risk Analysis and Risk Management Rules

OCR’s investigation revealed a failure to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all its ePHI.


 

Abandon or Disposal of Protected Health Information Leads to $125,000 Settlement

Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.

Not protecting the privacy and security of your patient information leads to non-compliance fines, data breaches and reputational risk.

Practices are responsible for patient’s protected health information no matter the consequences.

 

OfficeSafe offers a complete HIPAA Compliance Solution keeping your office up-to-date on HIPAA Compliance regulations:

  • Online Employee Training and Webinars
  • Encrypted Data Storage
  • Business Associate Agreements
  • HIPAA Policies and procedures
  • Identity Theft Protection
  • $250,000 Data Insurance Coverage
  • And more…

 

PROTECT YOUR PRACTICE FROM PENALTIES AND FINES

Get on the path to compliance in less than 60 days

 

Let PCIHIPAA know you are a member of the Medical Association of the State of Alabama and claim:

  1. Complimentary 2018 HIPAA Risk Assessment Now MandatorySection 164.308(a)(1)(ii)(A)
  2. A 23-Page Risk Analysis Report
  3. A Free 30-Minute HIPAA Risk Consultation
  4. 1 Year of Free Identity Restoration Protection

PCIHIPAA  |  Products & Services  |  800-588-0254  |  pcihipaa@pcihipaa.com

PCIHIPAA takes the guesswork out of HIPAA Compliance.
We make sure HIPAA and PCI Compliance is simple and easy to manage.
We work with 1,000’s of practices like yours.
A+ rating with the BBB.

Posted in: HIPAA

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Are Your Electronic Devices Physically Secure?

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • Could additional physical security controls be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

You Can Avoid a HIPAA Fine. Here’s What You Need to Know.

You Can Avoid a HIPAA Fine. Here’s What You Need to Know.

Did you know the government has strengthened its ability to enforce HIPAA law, which now includes fines reaching up to $50,000 per violation with a maximum of $1.5 million in annual penalties? With the increasing rates of cyberattacks and patient data breaches specifically targeting the health care industry, could you afford to pay a penalty if your practice was hit with one or more of these penalties? What about your patients’ records? If your practice incurred a breach, could you guarantee the safety of those medical records?

Without the proper safeguards in place, your patient information can easily fall into the wrong hands, exposing your practice to large governmental fines and risk to your reputation. The Medical Association recently partnered with PCIHIPAA to help our member physician practices take the precautions necessary to ensure their HIPAA compliance.

As a member of the Medical Association, you will receive from PCIHIPAA:

  • A complimentary 2018 HIPAA Risk Assessment, which is now mandatory under federal law. Take the assessment online at pcihipaa.com/Alabama
  • A 23-page Risk Analysis Report
  • A free 30-minute HIPAA Risk Consultation
  • One year of free Identity Restoration Protection through PCIHIPAA’s OfficeSafe program
  • A free HIPAA Checklist at http://pcihipaa.com/checklist/alabama

Following the review of your Risk Assessment, PCIHIPAA will demonstrate its comprehensive HIPAA compliance program, which includes a $250,000 data breach and network security policy.

There is no obligation to take the Risk Assessment, online review or to receive the free year of identity restoration protection. However, the Risk Assessment is mandatory by federal law, and not having one on file is a violation of HIPAA. Take the 2018 HIPAA Risk Assessment.

Want to know more about PCIHIPAA? Call (800) 588-0254 and mention you are a member of the Medical Association of the State of Alabama to receive a discounted rate.

PCIHIPAA is a preferred partner of the Medical Association. Learn more about PCIHIPAA.

Posted in: HIPAA

Leave a Comment (0) →

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The HIPAA Horizon: What Changes Can We Look Forward to in the Near Future?

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Specifically, this entity is charged with ensuring that HIPAA-covered entities adhere to the HIPAA Privacy, Security and Breach Notification Rules.

On Jan. 30, 2017, Pres. Trump issued an order referred to as the “Executive Order for Reducing Regulation and Controlling Regulatory Costs.”  This became known as the “2-for-1 Executive Order.” This order required all federal agencies to cut two existing regulations for every proposed new regulation.

Many health care compliance professionals have been interested to learn how HHS OCR would respond to this challenge. There was significant curiosity about how this mandate would change the way HHS OCR was able to protect patient rights and whether they would be able to continue to develop regulations to protect the confidentiality, integrity and availability of patient records during a period of when ransomware scares and identity theft challenges are more and more prevalent.

It appears the industry has received their answer. At the HIPAA Summit, OCR Director Roger Severino announced, “The HHS Office for Civil Rights is planning to make some changes to the HIPAA Privacy Rule and enforcement regulations but will ask first for input from the health care sector and the public before making possible modifications.”

The proposed rule or Notice of Proposed Rule Making (NPRM) is the official document that announces and explains the agency’s plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis for the final rule.[1]

HHS OCR has not officially posted the notice of proposed rulemaking for 2018, however, compliance professionals have been given a heads up on what to expect this year. HHS OCR is planning to submit notice of proposed rulemaking (NPRM) in at least the following three areas:

Good Faith of Health Care Providers. This would allow health care providers to share information with an incapacitated patient’s family members without patient authorization so long as the health care provider believes in “good faith” that making the disclosure is in the best interest of the patient.

Request for Information on Distribution of a Percentage of Civil Monetary Penalties or Monetary Settlements to Harmed Individuals. Historically, money collected from HIPAA fines and settlements have not been shared with the individual whose information was compromised. HHS OCR will be seeking comments on what the public thinks will be the best way to allow “victims” of HIPAA violations to be able to share in the money the agency receives as a result of enforcement actions.

Changing Requirements to Obtain Acknowledgment of Receipt of Notice of Privacy Practices. HIPAA-covered entities are currently required to have patients sign an acknowledgment form, which confirms they have been provided with a copy of the entity’s Notice of Privacy Practices. Entities are required to keep copies of those acknowledgment forms for a period of six years. However, patients also have the right to refuse to sign the acknowledgment form, and providers cannot refuse service based on a patient’s refusal to sign the acknowledgment. Potentially, this requirement may be stricken from the regulations or altered to alleviate the administrative burden associated with the current requirement.

In addition to proposed rulemaking, HHS OCR intends to provide long-awaited guidance to the health care industry specifically on encryption, social media and texting.

[1] “A Guide to the Rulemaking Process,” Office of the Federal Register.

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page

Posted in: HIPAA

Leave a Comment (0) →

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

Medical Association Chooses PCIHIPAA to Help Benefit and Protect Its Members

MONTGOMERY – The Medical Association of the State of Alabama has partnered with PCIHIPAA to help protect its members from the onslaught of ransomware attacks, HIPAA violations and data breaches impacting Alabama physicians. Under HIPAA’s Security and Privacy Rules, health care providers are required to take proactive steps to protect sensitive patient information.

“The Medical Association services more than 7,000 Alabama physicians. It’s critical that our members understand the risks surrounding HIPAA compliance and patient data privacy and security laws. We vetted many HIPAA compliance providers and believe PCIHIPAA’s OfficeSafe Compliance Program is the right solution for Alabama physicians. PCIHIPAA’s compliance program is robust and easy to implement. I’m confident our partnership will provide a necessary, value-added program for our members.” said Association President Jerry Harrison M.D.

The partnership comes on the heels of an important announcement surrounding HIPAA compliance regulation. The Director of U.S. Department of Health and Human Services’ Office for Civil Rights recently stated, “Just because you are a small medical or dental practice doesn’t mean we’re not looking and that you are safe if you are violating the law. You won’t be.” In addition, in 2017 hacking and employee errors led to data breaches at Alabama-based Surgical Dermatology Group, UAB Viral Hepatitis Clinic and The University of Alabama, supporting the importance of HIPAA compliance and patient data protection.

According to the U.S. Department of Health and Human Services, OCR has received over 150,000 HIPAA complaints following the issuance of the Privacy Rule in April 2003. A rising number of claims filed under HIPAA in recent years have led many patients to question whether or not their personal payment and health information is safe. As the government has become more aggressive in HIPAA enforcement, large settlements have become widespread and rising penalties for HIPAA non-compliance are a reality.

According to HHS.gov, the types of HIPAA violations most often identified are:

  1. Impermissible uses and disclosures of protected health information (PHI)
  2. Lack of technology safeguards of PHI
  3. Lack of adequate contingency planning in case of a data breach or ransomware attack
  4. Lack of administrative safeguards of PHI
  5. Lack of a mandatory HIPAA risk assessment
  6. Lack of executed Business Associate Agreements
  7. Lack of employee training and updated policies and procedures

“We are honored to be partnering with The Medical Association of The State of Alabama. They have a 140-year track record of helping Alabama physicians thrive. PCIHIPAA’s mission is to help physicians easily and affordably navigate HIPAA requirements and provide the solutions they need to protect their practices. We find that many practices don’t have the resources to navigate HIPAA law, and are unaware of common vulnerabilities. We encourage all association members to take a complimentary risk assessment to quickly assess their HIPAA compliance and risk levels. To get started go to Start Risk Assessment.” said Jeff Broudy, CEO of PCIHIPAA.

##

 

 

 

About PCIHIPAA
PCIHIPAA is an industry leader in PCI and HIPAA compliance providing turnkey, convenient solutions for its clients. Delivering primary security products to mitigate the liabilities facing dentists and doctors, PCIHIPAA removes the complexities of financial and legal compliance to PCI and HIPAA regulations to ensure that health and dental practices are educated about what HIPAA laws require and how to remain in full compliance. Learn more at OfficeSafe.com and PCIHIPAA.com.

Posted in: MVP

Leave a Comment (0) →

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

HIPAA Guidance for Mass Shootings and Other Tragic and Emergency Situations

In the aftermath of one of the deadliest school shootings in U.S. history, many health care organizations are revisiting their HIPAA policies and procedures to determine exactly what information they are allowed to share and to whom they may share information. 

FAMILY AND FRIENDS

A health care entity may share a patient’s location, general condition or death with a patient’s family, guardian, or friend who is involved in the patient’s care or who may be responsible for payment of the patient’s treatment. This may occur in a variety of circumstances including, but not limited to, the following:

  • If the patient is present and able to consent to the disclosure, the health care provider must obtain the patient’s consent, provide the patient with the opportunity to object to the disclosure, or based on the professional judgment of the health care professional, they may reasonably conclude that the individual would not object to the disclosure being made.
  • If the patient is not present or unable to consent due to incapacity or emergency, the health care professional may in the exercise of professional judgment determine whether the disclosure to the family, friend or guardian is in the best interest of the patient.
  • If the patient is deceased, the health care provider may disclose information about the patient to the family member, friend or guardian unless the health care professional is specifically aware that the patient expressed that the disclosure not be made prior to their death.
  • Health care providers may also share information about a patient with police, media outlets or the general public when attempting to identify, locate or notify family members, guardians or personal representatives of a patient. Information that may be shared include the patient’s location, general health status or death.
  • PHI may be shared with disaster relief organizations that are legally responsible for assisting with disasters if doing so will assist in the notification of family members or other individuals responsible for the patient’s care. [1]

MEDIA OUTLETS

Hospitals and health care entities may share general information about a patient with media outlets in an effort to identify, locate or notify individuals responsible for the patient’s care. However, if the request is initiated by the media, you must consider the following:

  • If the patient is conscious and does not specifically object, limited facility directory information may be shared as long as the requestor identifies the patient by name. This information includes whether the patient is indeed seeking treatment at the facility, whether they are in critical or stable condition, and whether they sought treatment and are now released.
  • If the patient is unable to consent, the health care provider can determine based on their professional judgment whether notifying the media or general public of the patient’s status or death is in the best interest of the patient.

Specific information about a patient’s care, such as x-rays, tests performed and test results, or details of a patient’s diagnosis may not be disclosed without either the patient’s authorization or the authorization of their personal representative.

LAW ENFORCEMENT

Health care entities can provide information to law enforcement with a signed HIPAA authorization from the patient or the patient’s personal representative. However, there are instances in which PHI may be shared with law enforcement without patient consent. Those instances include:

  • When the health care professional reasonably believes that the report would prevent or lessen a serious and imminent threat to the health or safety of an individual or the public;
  • The entity believes in good faith that it is sharing information that may be evidence of a crime that occurred on the premises of the entity;
  • Alerting law enforcement of the death of an individual when there is a suspicion that the death resulted from criminal conduct;
  • When responding to an off-site medical emergency, as necessary to alert law enforcement to criminal activity;
  • When it is required by law to make reports to law enforcement, like in instances of treating gunshot or stab wounds;
  • In compliance with court orders, warrants, subpoenas or summons;
  • In response to a request by law enforcement to identify or locate a suspect, fugitive, material witness or missing person (the information must be limited to basic demographic and identifying information about the person); and
  • Instances of child abuse or neglect reporting when the entity receiving the report is officially authorized by law to receive the report[2].

WHAT ABOUT THE SUSPECT?

When law enforcement needs assistance with identifying and locating a suspect, fugitive or material witness to a crime, health care entities are encouraged to cooperate with these requests.  However, those disclosures must be limited to the following information:

  • Name and Address,
  • Date and Place of Birth,
  • Social Security Number,
  • ABO Blood Type and RH Factor,
  • Type of Injury,
  • Date and Time of Treatment,
  • Date and Time of Death, and
  • Description of Distinguishing Physical Characteristics[3] (Ex. Tattoos, mustache, beard).

Any additional disclosures about a suspect’s medical information, such as DNA tests or body fluid analysis, can only be disclosed upon the presentation of a signed authorization, court order, warrant or documented administrative request.

WHAT IS A HIPAA WAIVER, AND WHEN DOES IT APPLY?

There is no lack of confusion regarding what a HIPAA waiver is and when it may be utilized. Waivers of HIPAA sanctions and penalties occur when the President declares an emergency or disaster and the Secretary of the Department of Health and Human Services (HHS) waives provisions of the Privacy Rule during the emergency or disaster.

If the Secretary issues such a waiver, it only applies:

  • In the emergency area and for the emergency period identified in the public health emergency declaration;
  • To hospitals that have instituted a disaster protocol. The waiver would only apply to patients at such hospital; and
  • For up to 72 hours from the time the hospital implements its disaster protocol.[4] Once the limited waiver terminates, health care entities are required to comply with the HIPAA Privacy Rule.

It is important to know under what circumstances you can disclose information and to whom those disclosures can be offered. Failure to understand these requirements may place you at risk for HIPAA violations and sanctions. If you have specific questions about disclosures of PHI, please contact a health care compliance professional.

[1] 45 CFR 164.510(b)

[2] 45 CFR 164.512

[3] 45 CFR 164.512(f)(2)

[4] 45 CFR 164.510(b)(4)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Breach Notification…Who, How, When?

Breach Notification…Who, How, When?

February is typically a very busy month for health care compliance professionals because the majority of breaches are required to be reported to the Department of Health and Human Services (HHS) within the first 60 days of the calendar year following the breach. However, the type of breach determines the applicable deadline so it is very important to know what needs to be reported to whom and when.

Entities regulated by HIPAA, including healthcare providers, health plans and business associates, must identify breaches in an adequate and timely manner and respond to breaches accordingly. This response includes identifying the occurrence, thoroughly investigating the incident, completing a thorough Breach Assessment of the incident and timely reporting conclusions to the appropriate parties.

A “breach” is an impermissible use or disclosure that compromises the privacy or security of protected health information. When a breach occurs in a health care setting, the entity may be required to provide notice of the breach to affected parties, including the patient or client, HHS and in some instances media outlets.

Standard

Health care entities are required to assess all breaches by considering the likelihood that patient or client protected health information was compromised. This is different than the previous harm standard, which required a determination of whether the breach caused a significant risk of financial, reputational or other harm. Under the compromise standard, consideration is given to the identity of the individual to whom the information was wrongfully provided and the possibility of that individual being able to retain and/or utilize the information.

Entities rely on their Breach Assessment tool to assist them with developing conclusions about the status of a breach. Unless an entity can substantiate and document that the breach was low-risk, it must be reported to appropriate parties as a breach. Pursuant to federal regulation, specific elements must be considered before an entity can determine a breach to be low-risk. Those elements include:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.[1]

These elements, in addition to other documented analysis, must be included on the entity’s Breach Assessment. This document should be customized to the entity and identify criteria that would lead to an objective determination about the nature of the breach.

The adequacy of an entity’s Breach Assessment tool is vital to that entity reaching an appropriate conclusion. The Breach Assessment should document the type of breach and the source of the breach. It should reflect whether it was an oral breach or whether documentation was shared. It should consider whether the individual with whom the information was shared is also a workforce member of a HIPAA-covered entity or whether that individual had any duty to keep the information confidential. After considering these questions, in addition to other factors, the entity should be able to make a reasonable determination about whether the protected health information was compromised.

Content of Notice

If an entity determines that a breach occurred and that breach notification is necessary, they must provide notice of the breach, which at a minimum includes the following:

  • A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;
  • A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved);
  • Any steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, website, or postal address.[2]

Timeliness Requirements

Entities must adhere to specific deadlines for breach reporting. The timeline is considered to have started on the date that the entity “knew or should have known of the breach.” Meaning that the entity either had direct knowledge of the breach or in the exercise of due diligence the entity should have been aware that the breach took place. This should have known element is important because it holds entities responsible for breaches based on an objective standard which discourages entities from pretending to be unaware of breach incidents.

Notification deadlines are directly related to the size of the breach. Breaches fewer than 500 individuals require notification to the patient within 60 days of discovery of the breach, also known as Individual Notice. Additionally, for breaches fewer than 500, notification must be provided to HHS within the first 60 days of the following calendar year.

Breaches involving 500 individuals or greater require entities to meet the Individual Notice standard described above, but it also requires simultaneous notice to HHS and media notice. Media notice is required to take place both in the place where the entity does business and in the location where the individuals affected by the breach reside. For example, a practice is located in Montgomery, Ala., and they provide services to patients in Montgomery and in Huntsville, Ala. The entity will be responsible for contacting media outlets in both Montgomery and Huntsville to ensure that consumers are informed of the breach. Additionally, if the entity has a website the notice must also be placed on the entity website.

Wall of Shame (for breaches of 500 individuals or greater)

The HHS Office of Civil Rights (OCR) notifies the public of large breaches in an effort to strengthen consumer trust and transparency. These breaches can be found on the HHS website and are known in the health care industry as the “Wall of Shame.” This Wall of Shame identifies entities that are currently under investigation, as well as entities who have already settled their cases with HHS or otherwise resolved their cases through administrative proceedings. It documents the name of the entity, the exact number of people involved in the incident and the type of breach. While the Wall of Shame generally reports incidents that occurred within the last two years, there is also an archive section that allows consumers to review cases occurring before that cut off period. You can view the HHS Wall of Shame by utilizing the following link: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Understanding the Breach Notification Rule can be tricky. This area of the regulations has many aspects that require professionals to perform specific analysis as they navigate each incident. Your entity compliance professional should be trained on the requirements and ensure that your policies and procedures are updated regularly. Your entity can report breaches to HHS by utilizing the following link: https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.

Should your entity have questions regarding the Breach Notification Rule, they should contact a healthcare compliance professional for guidance.

[1] 45 CFR 164.402(a)(2)

[2] 45 CFR 164.404 (c)

Article contributed by Samarria Dunson, J.D., CHC, CHPCattorney/principal of The Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Ala. The Dunson Group, LLC, is an official partner with the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

Social Media & HIPAA: When Sharing is Not Caring

Social Media & HIPAA: When Sharing is Not Caring

Social media is an increasingly common presence within the health care industry – among providers and consumers alike – but despite the potential benefits it can offer both parties, it introduces many risks.

Paging Dr. Google

It’s no exaggeration to say that the internet has completely transformed the way people seek medical information, and social media has played a significant role in this transformation. In fact, of the 74 percent of internet users that engage on social media, 80 percent of those are specifically searching for health information, and nearly half are looking for information about a specific doctor or health professional[1].

What’s more, research[2] has shown that social media can have a direct influence on a patient’s decision to choose a specific health provider, or even lead them to seek a second opinion, particularly amongst patients coping with a chronic condition, stress, or diet management.

This presents many opportunities for healthcare providers looking to get ahead of the competition – and for those who choose to actively engage in social media, the rewards can be significant, but so can the risks. So before jumping into social media headfirst, physicians need to understand the potential pitfalls, specifically the risks associated with patient privacy, and their obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Social media and PHI

PHI stands for Protected Health Information. The HIPAA Privacy Rule[3] provides federal protections for personal health information held by HIPAA covered entities (health care providers, health plans, healthcare clearinghouses, plus their business associates) and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The limits of permissible disclosure, however, are extremely limited, and definitely don’t include social media; if a physician were to disclose a patient’s PHI via social media without consent, even accidentally, this would be a direct violation of HIPAA guidelines and probably state law too.

While one would hope that most healthcare professionals know not to share PHI publically, some may not even know that what they are sharing, or intend on sharing is actually PHI; it is extremely difficult to anonymize patients, and even the subtlest of identifiers could be deemed a breach of patient privacy if it can be tied to a patient.

To avoid this happening, providers need to understand the 18 PHI identifiers, which are:

  • Names;
  • Geographic information;
  • Dates (e.g. birth date, admission date, discharge date, date of death);
  • Telephone numbers;
  • Fax numbers;
  • E-mail addresses;
  • Social Security numbers;
  • Medical record numbers;
  • Health plan beneficiary numbers;
  • Account numbers;
  • Certificate/license numbers;
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • URLs;
  • IP address numbers;
  • Biometric identifiers (e.g. finger and voice prints);
  • Full-face photographic images and any comparable images; and
  • Other unique identifying numbers, characteristics, or codes.

How to ensure a HIPAA compliant social media strategy

To avoid an inadvertent breach of PHI, covered entities should educate staff on best practices when using social media, including:

Avoid social messenger services

The likes of Facebook Messenger, LinkedIn, and Twitter Direct Messages may be familiar and convenient, but they are not secure and should be avoided at all costs when discussing patient health matters or exchanging PHI, even with trusted colleagues. Not only are these platforms inherently insecure due to a lack of encryption and access controls, the potential for error is increased as users could accidentally post information publicly or send a message to the wrong recipient.

What’s more, as BYOD (bring your own device) becomes more widely adopted in healthcare organizations, and as more devices are carried between home and work, the potential for device theft or loss increases, which further jeopardizes the security of any sensitive information that exists on a device, within social media applications, or on web browsers. This considered, PHI should only ever be exchanged via HIPAA-secure messaging services, that have been approved by IT departments and are used as part of an organization’s regular workflow.

Think very carefully before posting

When utilized as part of a wider marketing strategy, social media can be a very effective tool, but those responsible for managing social media output on behalf of an organization must be well versed in what type of content is and is not acceptable to share online. Even a seemingly harmless photo of the outside of a premises could cause problems if patients can be seen entering or exiting the building, or if a vehicle can be recognized in the car park. The same can be said of waiting rooms and reception areas, where the likelihood of capturing a patient’s face is high.

Keep work and home life separate

A HIPAA violation can just as easily happen in the home as it can in the workplace. After a hard day at work it is not uncommon for members of staff to air their grievances online – be it on Facebook, Twitter, or within closed forums. Again, considering how difficult it is to de-identify PHI, this behavior should be strongly discouraged, particularly where complaints about patients are involved. Similarly, posting about a famous person, friend, or family member being seen in a practice may be tempting, but is equally risky.

Social media has become second nature for many of us, and the ease of access to it is both a blessing and a curse for the healthcare industry. When managed responsibly, social media can be a highly effective marketing tool, and can even help improve the health outcomes of patients searching for information online. When used irresponsibly, however, the risks are high, and potential repercussions significant.

For HIPAA covered entities who engage in social media, the message is simple; develop robust company policies to ensure responsible usage, and ensure all staff are trained to think before they share.

[1] http://www.pewinternet.org/2011/02/01/health-topics-3/

[2] https://getreferralmd.com/2013/09/healthcare-social-media-statistics/

[3] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

About The Author

Gene Fry has been the compliance officer and vice president of technology at Scrypt, Inc. since 2001 and has 25 years of IT experience working in industries such as health care and for companies in the U.S. and abroad. He is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute, a Certified Cyber Security Architect through ecFirst and certified in HIPAA privacy and security through the American Health Information Management Association. Most recently achieved the HITRUST CSF Practitioner certification from the HITRUST ALLIANCE. Gene can be contacted through https://www.docbookmd.com/. DocbookMD is built by Scrypt, Inc. DocbookMD is an official partner of the Medical Association.

Posted in: HIPAA

Leave a Comment (0) →

HIPAA and the Holidays

HIPAA and the Holidays

As the holiday season builds momentum we are faced with numerous distractions like holiday decorations, taking advantage of online sales and soaking in the traditions that we look forward to each year. But this season of joy and giving should also be met with a heightened sense of awareness and adherence to HIPAA policies and procedures. You’re likely thinking to yourself, “How can Christmas, Hanukkah, Kwanza or the New Year impact HIPAA?” Well, those holidays can’t, but your employees’ behavior sure can.

Electronic Protected Health Information (ePHI)

This busy season will cause some employees to take advantage of online shopping while at work. While that seems relatively harmless, and in most cases it is, this also invites the possibility of introducing viruses into your system from unprotected and/or unapproved sites. It is important to have a clear policy and procedure regarding internet access on your entity’s equipment and it is equally important to ensure that your entity is enforcing compliance. Likewise, the threats of ransomware are ever increasing. A distracted employee is more likely to click a suspicious link or open a questionable email that could introduce ransomware into your computer system or electronic medical records. This is a great time to remind staff of their responsibilities to protect ePHI.

Physical Security

Unfortunately, the season of “giving” for some means a season of “taking” for others. Generally, criminal activity like property theft and break-ins rise during the shopping season. This makes it extremely important for your entity to adhere to mandatory HIPAA Physical Safeguards. The HIPAA Security Rule requires entities to have a documented Facility Security Plan, which memorializes the use of physical access controls. Specifically, entities are required to “implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.”[1] The entity’s designated HIPAA Security Officer should be reminding employees of the policy of not providing keys or swipe access to individuals who are not employees or staff members of the entity. Additionally, HIPAA Security Officers should review and document the use of cameras, alarm systems, keys and swipe cards to assess whether any changes need to be made to address any areas of vulnerability.

This is also particularly important for employees and staff who travel with PHI or ePHI. Whether it is paper records or a laptop, employees and staff should ensure they are not leaving these items in their vehicles in plain view. We advise our clients to have a policy that requires employees to leave any PHI or ePHI in the trunk of their vehicle where it is not visible or inviting for a would-be-thief. This can significantly reduce the entity’s risk of HIPAA breaches, as well as property loss.

Workstation Security

Many health care providers will experience an increase in patient activity as people clamber to make their end of the year appointments to take advantage of any cost savings before the new year begins. Combine that with flu-season and the prevalence of winter illnesses and all of a sudden the waiting room just became standing room only. The euphoric nature of the season, coupled with a dramatic increase in patient activity can be a recipe for HIPAA violations. While employees struggle to keep up with the demand, they are more likely to be careless about workstation security. They become less likely to lock their computers when they walk away from their station and more likely to share usernames and passwords in order to accomplish certain tasks more quickly. While these activities seem relatively harmless, these are violations that can cost the entity greatly if it leads to breaches of PHI or ePHI.

Visitors and Guests

The holidays aren’t nearly as fun without office holiday parties. These parties generally include catered meals, outside delivery services and even invited guests. Entities should ensure that they have a documented visitor/guest policy and procedure and that their employees follow that procedure. This includes a visitor/guest sign-in. Depending on the layout of the facility, these visitor/guests should be escorted to their destination so that they don’t have an opportunity to view documents or lab reports that may be left unattended in the facility.

Delivery personnel and vendors are not the only individuals subject to that policy. Family members and friends who present to the facility to visit with staff members and employees must also adhere to the entities visitation policies. Just because the person may be a relative or close friend does not earn them the right to overhear conversations about patient PHI or the right to view PHI that may be on someone’s desk or workstation.

Tone of Voice

One of the biggest complaints that our office receives regarding patient privacy is the tone of voice used by employees and staff as they discuss their health conditions. During the holiday season, many entities play festive music in their waiting areas which automatically cause employees and staff to raise their voices as they converse with patients or other providers. Entities should pay particular attention to the location of their waiting rooms and the position of their reception desk. Employees and staff should be advised of this concern and reminded of the importance of using a professional tone that would not give rise to unauthorized or inappropriate disclosures of PHI.

This is without argument “the most wonderful time of the year.” It’s a time to enjoy family, get reacquainted with friends, and provide for the health and well-being of patients. As the activity of the season builds, it is important to make every effort to ensure that your entity is in compliance with HIPAA regulations. Adhering to appropriate policies and procedures will not only ensure that you provide appropriate patient care, it will also reduce the likelihood of liability for violations which is a great way to start the New Year.

[1] § 164.310(a)(2)(ii)

Samarria Dunson, J.D., CHC, CHPC is attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama.  www.dunsongroup.com  Read other articles from Dunson Group here.

Posted in: HIPAA

Leave a Comment (0) →
Page 3 of 5 12345