Preventing a Data Breach

Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.

Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.

If you would like to review the list of breaches, click here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:

Emails:

What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.

Text Messages:

Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.

Websites:

Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!

Man-in-the-middle:

Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.

Zero-day attacks:

Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.

Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.

The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.

The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”

The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:

  • OCR received 30,435 new complaints alleging violations of the HIPAA Rules
  • OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
  • OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
  • OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Common Online Tracking Technology that Could Lead to a HIPAA Violation

Common online tracking technology that could lead to a HIPAA violation should be at the top of all healthcare providers to “know” list.

I probably sound like a broken record by now, however, this is a VERY important topic! Many states are implementing their own set of privacy rules and using online tracking is dangerous in healthcare.

Here is a refresher on what is online tracking technology. Tracking technology collects data from website visitors and many times, follows that visitor around the internet. They serve an important purpose for the website owner. It can give them useful information about what a visitor is looking for, how long they stay on a page, and where they go after they leave your site. In the business world, that sounds harmless. Marketers are just trying to make websites more appealing and increase revenue. In the healthcare field, that can be considered a HIPAA violation. Most medical practices do not even know these trackers on their website. It is extremely important to audit your website and make sure the company you utilize for maintaining your website, marketing, and hosting understands HIPAA.

There are dozens of trackers, but we will cover the most common that we have encountered:

Google

Google Analytics

Google Ads

Google Maps

HotJar

HubSpot

YouTube

Vimeo

LinkedIn

TheTradeDesk

The most common of all trackers is Google. They have a few different “versions”, like Google Analytics, Google Ads, and Google Maps. You need to understand how this works because they all can lead to problems because these trackers are not HIPAA compliant. Google Analytics collects personal identifiers about your website visitors by default. Google ads follow visitors around the internet. If you find “doubleclick” in any part of a URL, that is also related to Google ads! There are others, but this is the most common marketers use to track sales conversions. Google maps, of course tracks where the visitor is located to take them to your location. This could be a violation if this is located on the same page as a scheduler or portal. You may be in the clear if there isn’t any other health information located on that page. Caution should be used when using Google maps. Many practices simply write out directions from common intersections or nearby towns.

Please note that even if the individual that visits your website is NOT a patient, the OCR considers them as a potential patient and may become a patient at some point in the future, and therefore their data could be considered PHI. The OCR and the FTC have specifically stated that Google Analytics and Google Ads can cause HIPAA violations. You will need to remove the information that is collected BEFORE it is shared with Google, or you must utilize a third-party to prevent Google from having access.

Hotjar is a Google competitor and states they are easier to use. They offer two types of analytic tools. Heatmaps and session recordings. They offer a “free” version, but remember when a service is free, you are usually the item for sale. Although they promote that they do not collect IP addresses and emails, it is unclear if they collect any other personal data. They advise new users to login into their Google account to get started, so that is a red flag for us.  

HubSpot is popular because it is a CRM that is linked to your website. They state they have robust security in place, but they will not sign a BA agreement. Therefore, they are not HIPAA compliant. Their terms of service state that healthcare entities should NOT use HubSpot. We have read that it can be made HIPAA compliant, but this would still put you on notice with the OCR and FTC.

Since Google owns YouTube, this is another platform that sends out alarm bells. Many practices use video on their website that is hosted on YouTube. This could contain PHI and then YouTube would have access to personal identifiers. Unfortunately, this also means you are sharing PHI with Google. Again, this is a HIPAA violation. You may be able to have the patient sign an authorization that details what information is going to be shared and explain, even if they decide later, they want it removed, the original information may be retained online indefinitely. This is a slippery slope though.

Speaking of videos, this brings me to Vimeo. This is another video hosting platform. They have several “versions”, so just be aware of any URL that has Vimeo in it. Keep in mind these embedded videos collect user information, same as YouTube and shared with Vimeo. The same precautions must be applied.

If you must use videos, it is recommended to find an alternative hosting platform that will sign a BA agreement. I know this could be a long process, but you need to be sure patient data is not being shared!

Facebook is another one we have seen a lot on medical websites. They are another entity known to share information across multiple platforms. Meta, who is the parent company of Facebook, uses a Pixel as their tracking device. The “Meta Pixel” is a small code that is used to track information across Facebook and Instagram, and any other systems they choose. Have you ever been on one platform, only to see Ads on another about something you watched or read? Meta pixels track visitor actions, and this helps put ads in front of similar visitors to improve advertising conversions. The OCR and FTC have also named Meta/Facebook as being non-compliant.

LinkedIn has been known to be a professional platform. Many healthcare providers have chosen to have a presence on LinkedIn over Facebook. They too use trackers; this one is called the “Insight Tag”. They have several different URLS, but they all use trackers. This tracker has the ability to follow LinkedIn users on your website and monitor what pages are viewed and if any actions are taken. Originally, this was intended for visitors looking for a job. If this is placed properly, and no health information is located on that page, this is a low risk of a violation. Make sure this tracker is not located on your entire website. This tracker works like the rest of social media trackers and puts you at risk of violations if not installed properly.

TheTradeDesk tracker is difficult to spot since some of their URLS do not use this name. Watch for adsrvr in the URL. They call their tracker the “Universal Pixel” since it allows advertisers to target users on digital platforms, streaming devices, and podcasts. This platform collects a lot of data from your website! This includes demographics, browsing history, and even conversion stats. This all can lead to PHI being shared with them. It is not recommended to use this platform if you are a healthcare provider since they can load other ad pixels randomly on your website. This can put your practice at even more of a HIPAA violation.

None of these platforms will sign a Business Associate Agreement (BAA). I have heard of a company that can help with all of this, but they are not affordable for many providers. If you would like information about them, please contact us. I will continue to search for alternatives so you can still market your practice without fear of HIPAA violations. Until then, we recommend removing all trackers.

Let us know if you would like us to check your website. Feel free to share this information with your colleagues. We want to help as many practices as we can since the fines can be devastating. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

2024 HIPAA and Other Compliance Updates

The 2024 HIPAA and other compliance updates are included in the Office of the Inspector General (OIG) General Compliance Program Guidance (GCPG) for healthcare providers.

Although this compliance is not anything new, they have added this guidance to assist the health care community. This Compliance Program entails more than HIPAA. It is recommended after reviewing this summary that you review the Program Guidance in full.

Similar to the HIPAA Security Rule, the GCPG repeats certain information. This is because OIG recognizes that users may read, or may later reference, specific sections only, and not the whole document. Therefore, relevant information may be included and repeated in multiple sections.

The GCPG applies to all individuals and organizations involved in the health care industry. The GCPG addresses the seven elements of a compliance program. They have adaptations for small and large organizations. They anticipate updating the GCPG as changes in compliance practices or legal requirements.

Starting in 2024, the OIG will be publishing industry specific CPGs (ICPGs) for different types of providers, suppliers, and other participants in the health care industry. ICPGs will be tailored to fraud and abuse risk areas for each industry. They will also address compliance measures that the industry participants can take to reduce these risks. ICPGs are intended to be updated periodically to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance from OIG.

Keep in mind, the OIG’s compliance plan is a resource for healthcare providers and does not imply that it is a complete compliance program. Every organization is different, and this is not a one size fits all system. This is very comprehensive, and the following is a summary. For the complete document, see the link below:

https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf

Federal Health Care Fraud and Other Standards

The Department of Justice (DOJ), OIG, the Centers for Medicare & Medicaid Services (CMS), and the HHS Office for Civil Rights (OCR), are charged with interpreting and enforcing these laws and regulations. These overviews are intended to be summaries only and they do not address every legal obligation that may be imposed on the health care community and affiliated partners. For example, this guidance and these legal overviews do not address State fraud and abuse laws. It is important to understand that following these laws is the right thing to do and violating them could result in criminal penalties, fines, exclusion from Federal health care programs, and the enforcement to pay back overpayments.

Federal Anti-Kickback Statute

This statute prohibits organizations that are involved in Federal health care programs from engaging in some practices that are acceptable in other business sectors. For example, offering or receiving gifts for past or future referrals.

The Federal anti-kickback statute can be described as intent based. It is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to entice the referral of an individual for the furnishing of, or arranging the furnishing of any item or service, that is reimbursable under a federal health care program.

Violation of the Federal anti-kickback statute constitutes a felony punishable by a maximum fine of $100,000, imprisonment up to 10 years, or both. Conviction also will lead to mandatory exclusion from Federal health care programs, including Medicare and Medicaid.

Physician Self-Referral Law (PSL) a/k/a Stark Law

This law prohibits a physician from making referrals for certain designated health services (DHS) payable by Medicare to an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies, and its requirements are satisfied. Financial relationships include ownership and investment interests as well as compensation arrangements. For example, if a physician invests in an imaging center to which the physician refers Medicare beneficiaries for DHS, the PSL requires that the financial relationship satisfies all requirements of an applicable exception. If it does not, the PSL prohibits the physician from making a referral for DHS to be furnished by the imaging center and prohibits the imaging center from billing Medicare (or any individual, third-party payor, or other entity) for the improperly referred DHS.

The PSL is implicated only when all six of the following elements are present.

  1. A physician
  2. Makes a referral
  3. For designated health services
  4. Payable by Medicare
  5. To an entity
  6. With which the physician (or an immediate family member) or the physician organization in whose shoes the physician stands has a financial relationship (which could be a direct or indirect ownership or investment interest in the entity or a compensation arrangement with the entity).

When all six elements exist, the PSL prohibits a physician from making a referral for DHS to the entity with which they have the financial relationship unless an exception applies and its requirements are satisfied. It is important for entities that furnish DHS to have a method to keep track of, and review closely, their financial relationships with physicians who refer Medicare patients to them.

CMS’s regulations define certain categories of DHS by Current Procedural Terminology (CPT) and Healthcare Common Procedure Coding System (HCPCS) codes. CMS publishes an updated list of codes for the relevant DHS annually.

https://www.cms.gov/medicare/regulations-guidance/physician-self-referral/list-cpt/hcpcs-codes

False Claims Act

The civil False Claims Act provides a way for the Government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the Government.

This Act defines “knowing” and “knowingly” to mean that a person, with respect to information—

  • has actual knowledge of the information;
  • acts in deliberate ignorance of the truth or falsity of the information; or
  • acts in reckless disregard of the truth or falsity of the information; and no proof of specific intent to defraud is required.  

The False Claims Act defines “knowing” and “knowingly” to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This means individuals and entities cannot avoid liability by deliberately ignoring inaccuracies in their claims.

Filing false claims may result in liability of up to three times the programs’ loss plus an additional penalty per claim filed. Each instance of an item or a service billed to Medicare or Medicaid counts as a claim. Liability can add up quickly!

A few examples of health care claims that may be false include claims where the service was not actually rendered to the patient, is already provided under another claim, is up coded, or is not supported by the patient’s medical record. A claim that is tainted by illegal remuneration under the Federal anti-kickback statute or submitted in violation of the PSL is also false or fraudulent, creating liability under the civil False Claims Act.

The Affordable Care Act included a requirement that entities must report and repay overpayments to Medicare and Medicaid by the later of:

(A) the date which is 60 days after the date on which the overpayment was identified; or

(B) the date any corresponding cost report is due, if applicable.

If an entity identifies billing mistakes or other non-compliance with program rules leading to an overpayment, the entity must repay the overpayments to Medicare and Medicaid to avoid False Claims Act liability. Even if an entity makes an innocent billing mistake, that entity still has an obligation to repay the money to the Government.

Civil Monetary Penalty (CMP) Authorities

The OIG is authorized to pursue monetary penalties and exclusion through a variety of civil authorities. Most notably, the Civil Monetary Penalties Law (CMPL). Under the CMPL, the OIG can pursue assessments in lieu of damages, CMPs, and exclusion from participation in the Federal health care programs. With this authority, OIG can address a wide variety of improper conduct related to Federal health care programs and other HHS programs. The CMPL principally addresses fraudulent and abusive conduct. In addition to OIG’s CMP authorities that closely parallel the False Claims Act, the OIG has additional CMP authorities aimed at certain specific types of conduct unique to HHS and the Federal health care programs. For example, the “patient dumping” CMP. 

While False Claims Act cases are pursued by DOJ on behalf of HHS in Federal court, CMP cases are administrative and pursued by OIG before an HHS administrative law judge. By statute, different categories of conduct result in different penalty amounts.  Such as, false claims result in penalties of up to $20,000 per item or service falsely claimed, and improper kickback conduct results in penalties of up to $100,000 per violation.

https://oig.hhs.gov/fraud/enforcement/?type=cmp-and-affirmative-exclusions&type=criminal-and-civil-actions&type=state-enforcement-agencies

Beneficiary Inducements CMP

This provides for the imposition of CMPs against any person who offers or transfers remuneration to a Medicare or State health care program that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for the order or receipt of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program.

There are exceptions to the definition of “remuneration” under this section. For any applicable exception to apply, each condition of the exception must be completely satisfied. The exceptions include:

  • nonroutine waivers of copayments and deductibles based on individualized determinations of financial need;
  • preventive care incentives;
  • items and services that promote access to care and pose a low risk of harm;
  • retailer rewards;
  • items and services tied to medical care for financially needy beneficiaries.

The Beneficiary Inducements CMP is different from the Federal anti-kickback statute and the corresponding anti-kickback CMP, but the Beneficiary Inducements CMP and Federal anti-kickback statute often prohibit overlapping conduct.

The Beneficiary Inducements CMP is a separate and distinct authority, completely independent of the Federal anti-kickback statute. It is narrower than the Federal anti-kickback statute and the anti-kickback CMP in several ways.

The Federal anti-kickback statute applies to remuneration to induce or reward referrals of an individual to a person for the furnishing of any item or service, and purchases of any good, facility, service, or item that is payable by a Federal health care program. In contrast, under the Beneficiary Inducements CMP applies to remuneration that is likely to influence a beneficiary’s selection of a particular provider, practitioner, or supplier for items or services reimbursable by Medicare or a State health care program.

Information Blocking

Under the 21st Century Cures Act the OIG has the authority to investigate claims that health information technology (IT) developers of certified health IT (including entities offering certified health IT), health information exchanges and networks, and health care providers have engaged in conduct constituting “information blocking.” A health IT developer of certified health IT, health information exchange, or network that engages in information blocking may be subject to CMPs of up to $1 million per violation.

It is considered information blocking when a provider engages in a practice and the provider knows that it is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. Information blocking does not include any practice that is required by law or that meets an exception.

Criminal Health Care Fraud Statute

The criminal health care fraud statute makes it a criminal offense to defraud a health care benefits program. The criminal health care fraud statute prohibits knowingly and willfully executing, or attempting to execute, a scheme to either:

(1) defraud any health care benefit program; or

(2) to obtain, by means of false or fraudulent pretenses, representations, or promises, any money or property from any health care benefit program.

The Government must prove its case beyond a reasonable doubt and prove that the defendant acted with intent to defraud; however, specific intent to violate this statute is not required for a conviction. DOJ, OIG, and other law enforcement partners have successfully used this statute to pursue defendants who orchestrate complex health care fraud schemes. Cases that involve violations of the criminal health care fraud statute also often involve complex money laundering, tax, and other associated financial criminal offenses. The penalties for violating the criminal health care fraud statute may include fines of up to $250,000, imprisonment of not more than 10 years, or both.

https://oig.hhs.gov/fraud/enforcement/about/

HIPAA Privacy and Security Rules

The Department of Health and Human Services Office for Civil Rights are responsible for administering and enforcing the HIPAA Rules. Which includes the Privacy, Security, and Breach Notification Rule.

The Security Standards specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to ensure, among other provisions, the confidentiality, integrity, and security of electronic PHI (ePHI).

The OCR and ONC created the HSR Toolkit to assist providers and business associates in determining their risks. The HSR Toolkit does not produce a statement of compliance. Organizations may use the HSR Toolkit in coordination with other tools and processes to support HIPAA Security Rule compliance and risk management activities. Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority. By using Aris’ HIPAA Keeper™, this replaces the need to use this tool kit since our system includes the risk assessment and all policies and procedures. It is recommended to utilize a third party to audit your network to ensure that your data is secure.

Elements of a Compliance Infrastructure

  1. Written Policies and Procedures should encompass the HIPAA Rules and areas that could cause fraud and abuse. Including areas in billing, coding, sales, marketing, quality of care, patient incentives, arrangement with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business.
  2. All individuals are required to have access to your policies and procedures. Many entities maintain their code, policies, and procedures on an internal intranet site or use other electronic communication tools to ensure that everyone has access to the same documents. Policies must be maintained in languages that the staff can easily understand and written an appropriate reading level.
  3. Designating a compliance officer with appropriate authority is essential to the success of the compliance program. To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care services, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. In smaller organizations this can be burdensome, therefore a third party may be necessary for guidance.
  4. Training should include education on the organization’s compliance program. Including Federal and State standards, and governance, and oversight of a health care entity. The compliance officer should develop an annual training plan that includes the training topics to be delivered and the target audience for each topic.
  5. For a compliance program to be effective, the organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance. Consequences may involve remediation, sanctions, or both, depending on the facts. Incentives may be used to encourage compliance performance and innovation.
  6. Risk assessment is a process for identifying, analyzing, and responding to risk. Periodic compliance risk assessments should be a component of an organization’s compliance program and should be conducted at least annually. Entities may use commonly available spreadsheet software to analyze their data. Other software programs that entities already use, such as billing software and electronic health records, may also have components that allow entities to analyze the data they contain. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks.
  7. Audits may be conducted by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal health care program requirements. Medicare requires that items must be medically reasonable and necessary. Entities may identify other areas appropriate for routine monitoring, such as high-value billing codes, medical record documentation, medical necessity of admission.
  8. Monthly monitoring of the LEIE and state Medicaid exclusion lists, state licensure and certification databases, and an annual review of the organizations policies and procedures are also required.
  9. Detected Offenses and Developing Corrective Action Plans. If credible evidence of misconduct from any source is discovered and a reasonable inquiry is conducted, and the compliance officer or counsel has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the organization should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate Government authority of the misconduct. Prompt reporting will demonstrate the entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.

Other Compliance Considerations

There are other important compliance considerations related to several generally applicable risk areas. Forthcoming ICPGs will address industry subsector-specific risk areas for different types of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to Federal health care programs. The existing CPGs and supplemental CPGs will remain available for use as ongoing resources to help identify risk areas in particular industry segments as the ICPGs are developed.

Quality and Patient Safety

Quality and patient safety are often treated as wholly separate and distinct from compliance, and the compliance program often does not contain quality and patient safety components. But quality and patient safety are integral to the work of HHS, CMS, FDA, and other agencies. And OIG and DOJ have long emphasized the importance of quality and patient safety. OIG and DOJ have investigated and settled cases based on the submission of false claims for care that is materially substandard, resulting in death or severe harm to patients.

New Businesses in the Health Care Industry

The health care sector is seeing an increasing number of new businesses, including technology companies (both established and start-up companies), new investors, and organizations providing non-traditional services in health care settings. New entrants are often unfamiliar with the unique regulations and business constraints that apply in the health care industry, as well as the range of Federal and State government agencies that regulate health care and enforce fraud and abuse laws. Business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability.

Financial Incentives: Ownership and Payment – Follow the Money

The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse.

Payment Incentives

Compliance officers should be attuned to the varying risks associated with the payment methodologies through which health care entities are reimbursed for the items and services they provide.  When an insurer, including Federal health care programs, pays on a volume-sensitive or fee-for-service basis, there may be increased risks of overutilization, inappropriate patient steering, and use of more expensive items or services than needed. When payment incentives and associated risks are fully understood, compliance officers, including those at entities with private investment, are better positioned to design informed audit plans, conduct effective monitoring, detect problems early, and implement effective preventive strategies.

Financial Arrangement Tracking

Organizations involved in Federal health care program business may manage financial arrangements and transactional agreements, including those between referral sources and referral recipients, which can implicate the Federal anti-kickback statute and the PSL, among other Federal fraud and abuse laws. While legal counsel may be involved in the initial structuring and drafting of these agreements, ongoing monitoring of compliance with the terms and conditions set forth in the agreements remains equally important from a fraud and abuse perspective.

OIG Resources and Processes

OIG has a Compliance Section on its website that includes numerous compliance and legal resources. They most recently added a more robust section on Frequently Asked Questions, with a new process for the health care community to submit questions, as discussed further below. In addition, under the Newsroom tab, they have short, educational videos covering a variety of substantive topics, Testimonies before Congress, as well as News Releases & Articles.

They encourage organizations to subscribe to OIG’s What’s New Newsletter to receive email notifications when OIG has posted new information to their website, including reports, enforcement actions, and more. OIG also encourages to subscribe to email notifications when the List of Excluded Individuals/Entities is updated. Lastly, OIG has various social media accounts that users can opt to follow to view OIG posts.

The current list of topics addressed in FAQs

OIG Self-Disclosure Information

OIG has several self-disclosure processes that can be used to report potential fraud in HHS programs. Health care providers, suppliers, or other individuals subject to CMPs can use the Health Care Fraud Self-Disclosure Protocol to voluntarily disclose self-discovered evidence of potential fraud. Self-disclosure gives providers the opportunity to avoid the costs and disruptions associated with a Government-directed investigation and civil or administrative litigation.

The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The OIG states that compliance should be implemented. The complete guide may be accessed or downloaded on any computer.

https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf

There is an option to download only certain sections.

https://oig.hhs.gov/compliance/general-compliance-program-guidance/

Be sure to check this link regularly as they will be updated and no longer available in the Federal Register.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. Our system includes documents on a variety of compliance topics, not just HIPAA. Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Documentation and Medical Records Retention

As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!

If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

HIPAA documentation retention:

HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.

Here is an example of what is covered under HIPAA:

  • Audit logs of access to ePHI
  • Business associate agreements
  • Contingency plans
  • Employee sanction policy and documentation
  • Notice of Privacy Practices
  • Patient authorizations (unless included in their medical record)
  • Patient complaints and resolutions
  • Privacy policies (patient access, amendments, and authorizations)
  • Security incident reports and Breach notification documentation
  • Security policies (administrative, physical, and technical)
  • IT reports that include updates and device status

Medical record retention:

Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.

Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.

Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.

Medicare managed care program providers must also retain their records for 10 years.

Some states required Pediatrics to retain records until the patient reaches the age of 23.

North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.

It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.

As you can see, there are many variables.

Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.

If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Risk Analysis Requirements

Nefarious characters see healthcare organizations as high value yet relatively easy targets. These are referred to as target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for a bad actor. Understanding the HIPAA risk analysis requirements can help save your organization from these criminals.

There has been a significant rise in the number and severity of cyber-attacks against hospitals and medical practices in the last few years. These attacks expose vulnerabilities and endanger patient safety. The more they happen, the more expensive, and dangerous they become.

Although the HIPAA Security Rule does not specify how often a risk analysis must be conducted, it is recommended to review your systems at least once a year. Keep in mind if you introduce new equipment, software, or suffer a security incident, you may need to evaluate your risks more often.

If you need a HIPAA Security Risk Analysis, check out our:

The OCR conducted a webinar regarding Risk Analysis Requirements and discussed the areas that are deficient.

The OCR mentioned the following:

  1. The lack of a system wide accurate and thorough analysis. (Step 1 Questionnaire)
  2. Performing only the MIPS risk analysis does not encompass the system wide requirements.
  3. PCI/DSS is more than likely not a complete risk assessment since it does not include ePHI.
  4. Instead of a system wide accurate and thorough risk assessment, a summary or heat map is provided without the backup documentation.
  5. Lack of inventory list to track which devices access, transmit, or store ePHI. (Located in the Profile)
  6. No method to track operating systems that become out of date. (Documented in the inventory list)
  7. Lack of mitigation documentation after the risk analysis was completed. (Step 1 Risk Management Plan)
  8. Lack of sanctions against staff who violate HIPAA. (Step 3 Policies and Procedures)
  9. Lack of security software / equipment updates. (Documented in reports from your IT company and stored in the Profile under Uploads)

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant. Best of all you will have a HIPAA security analyst to guide you every step of the way!

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Compliance Officer Responsibilities

Most practices cannot afford to hire a HIPAA Compliance Officer. So, practice owners often assign their Office Manager or their Practice Administrator for the HIPAA Compliance Officer Responsibilities. These responsibilities are so much more than just a title. Compliance Officers responsibilities include creating, implementing, maintaining, and enforcing compliance. Since they are not trained as a Compliance Officer, many times, HIPAA is placed on the back burner. There is not enough time in the day to keep up with the responsibilities of the “normal” work. Then they need to address the elephant in the room called “HIPAA”. The easiest way to manage this is to hire a HIPAA consulting company that will do the heavy lifting and be there to assist when needed. Policies, procedures, and documentation is the backbone of HIPAA compliance. This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date. For example, information blocking and exceptions have been added to the rules, and the right of access time limit may be reduced to 15 days.

If you do not have a company to assist you, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

Here are some areas that need to be implemented:

  1. Conduct a system wide risk analysis. This will include administrative, physical, and technical safeguards. There are free tools available to assist you, but keep in mind this is only a starting point. These tools do not include the remediation processes, policies and procedures, and documentation forms.
  2. From the Risk Analysis, you will create a Risk Management Plan to document your mitigation process. This document will also include the reasonable and appropriate safeguards you have in place.
  3. All entities (medical practices and business associates) that access or store Protected Health Information (PHI) must monitor audit logs from either their EHR/EMR software or a device which connects a user to Electronic Protected Health Information (ePHI). The purpose behind this requirement is to look for abnormal activity. This abnormal activity could be the result of a rogue employee or a cyber-attack. This is a time-consuming task and you may need to hire a third party to monitor these logs for you.
  4. Every practice must have a Breach Notification Plan and Security Incident Form. Most importantly, you must have an IRT (Incident Response Team) in place that includes an IT Professional, a Forensic IT Company, and a Healthcare Attorney along with your own personnel. After you suffer from a Data Breach is not the time to put this team together. Time is of the essence when notifying your patients. Federal law states you have 60 days to notify your patients that are involved in a Data Breach. However, some states are much more stringent, therefore State law would overrule Federal law. Some states now even require the State Attorney General be notified as well. Know your state law! For example, Florida state law requires a 30-day notice.
  5. Even if you utilize an IT vendor that is responsible for your data, you will still need to have a contingency plan in place in the event of a disaster or data problem. You will work hand in hand with your vendor, but it is your responsibility to have the documentation available.
  6. Medical practices that utilize the services of business associates are required under HIPAA to ensure the business associate is HIPAA compliant. Be sure to obtain a signed business associate agreement (BAA) with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements and information blocking criteria. If a practice does not have a BAA in place and the vendor causes a data breach, the practice may receive a fine for the violation. With a BAA in place, the practice may bear the financial burden of the breach but may not receive a fine. We recommend a BAA with indemnification and requirement that the business associate carry cyber liability insurance. Keep in mind, if your business associate utilizes subcontractors, the HIPAA rules apply to them as well.
  7. The Compliance Officer will need to work with their IT department/vendor to determine the flow of data in and out of your systems. With this information you will be able to determine where ePHI is located. Your network configuration will define which technical safeguards need to be in place. Some of these are “required” under HIPAA and others are “addressable”. Keep in mind, addressable does not mean optional. It means that you must have reasonable and appropriate safeguards in place based on your data flow and size of your organization. Although the Compliance Officer may not understand the technical requirements, it is required for the Compliance Officer to have the documentation. Also, what procedures and documentation will be needed when it is time to replace computers and equipment. Documentation includes reports from the IT department/vendor. These reports can be utilized to document the recognized security practices you have in place such as: status reports, access logs, security patches, and an inventory of devices. For instance, even though encryption is not a “required” security standard, if your server, computer, or laptop is lost or stolen and it is not encrypted, you could be faced with a $1.9M fine.

Policies, procedures, and documentation are the backbone of HIPAA compliance.

This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date.

Many organizations have had a data breach or have been hit with ransomware. How likely is your staff to give out information? If a stranger walked up to you and asked you to verify your identity, would you give them any information? Of course not, but that is exactly what we are doing when we receive an email, text message, or phone call from someone or somewhere, we trust that it is legitimate. In the old wild wild west, you could see danger on the horizon and prepare. The world wide web (WWW) is the new wild wild west, now dangers are invisible, and you have no way to prepare unless you have processes in place.

When a healthcare organization has a breach, it typically takes about 2 years for the Office for Civil Rights to complete their investigation. During that time, the organization will be required to submit documentation on their data security and what they will do to prevent this from happening in the future.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime is on the rise. The hackers have become very sophisticated in their attacks!

The OCR is famous for saying… If it’s not documented, it didn’t happen and doesn’t exist. Documentation must be stored for a minimum of six (6) years; however, it can be digitally stored and not necessarily on paper.

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Patient Right of Access – what does this really mean?

Patients’ right of access has extreme consequences if they are not handled properly. It starts the moment a patient makes this request. HIPAA prohibits unreasonable measures when patients request access to their medical records.

Most practices think this request MUST be in writing. Although this is ideal, sometimes it can cause a problem when the patient is not able to come to the office. The first alternative we are thinking of is using a fax machine or an email account. What do you do if they do not have access to any of these options? One method you can use is to verify the number you have on file and call them back at that number. Then asking for the last 4 of their social security number, or another identifying information.

Keep in mind there is a time limit to this! Currently you have up to 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We do not recommend waiting until the “29th” day. You should respond as soon as possible. NOTE: We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance.

As of today, there have been 45 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K. Some of these fines were small dental practices and even cash practices for plastic surgery. The latest is $80K from UnitedHealthcare. No practice or health plan is immune!

Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

The OCR sent out ANOTHER reminder about online tracking technologies. This is the 3rd notice, and includes the letters sent to hospitals and telehealth providers. They are actively reviewing healthcare websites. They specifically state the use of Meta/Facebook pixels and Google Analytics could be a violation.

https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf

If you use any online technology that collects personal identifiers, you must have a business associate agreement in place. With that said, be very careful with what you do with this information. It only takes one patient complaint to start an investigation.

If you would like us to review your website, use the contact us page.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

“Simplifying HIPAA through Automation, Education, and Support”

The OCR and FTC are investigating online tracking technologies

We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA. The use of online tracking technologies and HIPAA requirements must be reviewed on all medical websites.

The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.

Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.

The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach. 

The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!

Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about actual HIPAA fines, click on our Education tab!

Business Associate fined for a data breach UNDER 500 patient records

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

  • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
  • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

Could terminating an employee trigger an OCR investigation?

When it is time to terminate an employee, it is never easy. Whether they are a short- or long-term employee, it can be difficult. Sadly, if you make a mistake you can end up with a complaint filed against you. These types of complaints can range from the wage and labor board, discrimination, or simply wrongful termination. This does not typically involve the Office for Civil Rights. However, if a disgruntled employee contacts the OCR to complain about ANOTHER issue, this could open the door for an OCR investigation. Best practice is to make sure you have proper HR policies in place alongside your HIPAA policies and procedures. Having an Employee Confidentiality Agreement is a good start to ensure your employees understand the requirements under HIPAA (which is included in our HIPAA Keeper™).

Now let’s talk about your employee manual. This is a must have for all organizations, small and large. This manual should have clear and concise guidelines so that employees understand the conditions of their employment and benefits they are entitled to. This should also include the hiring process and the termination of employment.

Here are some key areas that should be included in your employee manual:

  • Work eligibility – OIG exclusion requirements – Background checks (Random)
  • Employee classification- fulltime/ part time
  • Exempt and non-exempt definition
  • Hours of work including flextime
  • Lunch and rest breaks
  • Overtime
  • Vacation – Sick – General paid time off (bereavement, jury duty, military, etc.)
  • Payday – Payroll deductions- Wage garnishments
  • Expense reimbursements
  • Advances
  • Employee benefits – Health Insurance – Workers’ Compensation – Etc.
  • Employee conduct – Attendance – Punctuality – Personal grooming
  • Employee sanctions – Insubordination – Termination
  • Personnel records
  • Use of company property – Internet use – Email – Etc.
  • Patient and employee privacy
  • Drug and alcohol use testing

There are other areas that should be included. These are just what comes to mind at first. If you do not have a complete employee handbook, contact us and we may be able to recommend a company that can help you.

As with HIPAA, employee documentation is VERY important!

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC