HIPAA Compliance News Archives

HIPAA Compliance Officer Responsibilities

Suze Shaffer October 2, 2023

Most practices cannot afford to hire a HIPAA Compliance Officer. So, practice owners often assign their Office Manager or their Practice Administrator for the HIPAA Compliance Officer Responsibilities. These responsibilities are so much more than just a title. Compliance Officers responsibilities include creating, implementing, maintaining, and enforcing compliance. Since they are not trained as a Compliance Officer, many times, HIPAA is placed on the back burner. There is not enough time in the day to keep up with the responsibilities of the “normal” work. Then they need to address the elephant in the room called “HIPAA”. The easiest way to manage this is to hire a HIPAA consulting company that will do the heavy lifting and be there to assist when needed. Policies, procedures, and documentation is the backbone of HIPAA compliance. This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date. For example, information blocking and exceptions have been added to the rules, and the right of access time limit may be reduced to 15 days.

If you do not have a company to assist you, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

Here are some areas that need to be implemented:

Conduct a system wide risk analysis. This will include administrative, physical, and technical safeguards. There are free tools available to assist you, but keep in mind this is only a starting point. These tools do not include the remediation processes, policies and procedures, and documentation forms.
From the Risk Analysis, you will create a Risk Management Plan to document your mitigation process. This document will also include the reasonable and appropriate safeguards you have in place.
All entities (medical practices and business associates) that access or store Protected Health Information (PHI) must monitor audit logs from either their EHR/EMR software or a device which connects a user to Electronic Protected Health Information (ePHI). The purpose behind this requirement is to look for abnormal activity. This abnormal activity could be the result of a rogue employee or a cyber-attack. This is a time-consuming task and you may need to hire a third party to monitor these logs for you.
Every practice must have a Breach Notification Plan and Security Incident Form. Most importantly, you must have an IRT (Incident Response Team) in place that includes an IT Professional, a Forensic IT Company, and a Healthcare Attorney along with your own personnel. After you suffer from a Data Breach is not the time to put this team together. Time is of the essence when notifying your patients. Federal law states you have 60 days to notify your patients that are involved in a Data Breach. However, some states are much more stringent, therefore State law would overrule Federal law. Some states now even require the State Attorney General be notified as well. Know your state law! For example, Florida state law requires a 30-day notice.
Even if you utilize an IT vendor that is responsible for your data, you will still need to have a contingency plan in place in the event of a disaster or data problem. You will work hand in hand with your vendor, but it is your responsibility to have the documentation available.
Medical practices that utilize the services of business associates are required under HIPAA to ensure the business associate is HIPAA compliant. Be sure to obtain a signed business associate agreement (BAA) with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements and information blocking criteria. If a practice does not have a BAA in place and the vendor causes a data breach, the practice may receive a fine for the violation. With a BAA in place, the practice may bear the financial burden of the breach but may not receive a fine. We recommend a BAA with indemnification and requirement that the business associate carry cyber liability insurance. Keep in mind, if your business associate utilizes subcontractors, the HIPAA rules apply to them as well.
The Compliance Officer will need to work with their IT department/vendor to determine the flow of data in and out of your systems. With this information you will be able to determine where ePHI is located. Your network configuration will define which technical safeguards need to be in place. Some of these are “required” under HIPAA and others are “addressable”. Keep in mind, addressable does not mean optional. It means that you must have reasonable and appropriate safeguards in place based on your data flow and size of your organization. Although the Compliance Officer may not understand the technical requirements, it is required for the Compliance Officer to have the documentation. Also, what procedures and documentation will be needed when it is time to replace computers and equipment. Documentation includes reports from the IT department/vendor. These reports can be utilized to document the recognized security practices you have in place such as: status reports, access logs, security patches, and an inventory of devices. For instance, even though encryption is not a “required” security standard, if your server, computer, or laptop is lost or stolen and it is not encrypted, you could be faced with a $1.9M fine.

Policies, procedures, and documentation are the backbone of HIPAA compliance.

This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date.

Many organizations have had a data breach or have been hit with ransomware. How likely is your staff to give out information? If a stranger walked up to you and asked you to verify your identity, would you give them any information? Of course not, but that is exactly what we are doing when we receive an email, text message, or phone call from someone or somewhere, we trust that it is legitimate. In the old wild wild west, you could see danger on the horizon and prepare. The world wide web (WWW) is the new wild wild west, now dangers are invisible, and you have no way to prepare unless you have processes in place.

When a healthcare organization has a breach, it typically takes about 2 years for the Office for Civil Rights to complete their investigation. During that time, the organization will be required to submit documentation on their data security and what they will do to prevent this from happening in the future.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime is on the rise. The hackers have become very sophisticated in their attacks!

The OCR is famous for saying… If it’s not documented, it didn’t happen and doesn’t exist. Documentation must be stored for a minimum of six (6) years; however, it can be digitally stored and not necessarily on paper.

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

“Simplifying HIPAA through Automation, Education, and Support”

Patient Right of Access – what does this really mean?

Suze Shaffer September 1, 2023September 6, 2023

Patients’ right of access has extreme consequences if they are not handled properly. It starts the moment a patient makes this request. HIPAA prohibits unreasonable measures when patients request access to their medical records.

Most practices think this request MUST be in writing. Although this is ideal, sometimes it can cause a problem when the patient is not able to come to the office. The first alternative we are thinking of is using a fax machine or an email account. What do you do if they do not have access to any of these options? One method you can use is to verify the number you have on file and call them back at that number. Then asking for the last 4 of their social security number, or another identifying information.

Keep in mind there is a time limit to this! Currently you have up to 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We do not recommend waiting until the “29^th” day. You should respond as soon as possible. NOTE: We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance.

As of today, there have been 45 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K. Some of these fines were small dental practices and even cash practices for plastic surgery. The latest is $80K from UnitedHealthcare. No practice or health plan is immune!

Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

The OCR sent out ANOTHER reminder about online tracking technologies. This is the 3^rd notice, and includes the letters sent to hospitals and telehealth providers. They are actively reviewing healthcare websites. They specifically state the use of Meta/Facebook pixels and Google Analytics could be a violation.

https://www.hhs.gov/sites/default/files/ocr-ftc-letters-re-use-online-tracking-technologies.pdf

If you use any online technology that collects personal identifiers, you must have a business associate agreement in place. With that said, be very careful with what you do with this information. It only takes one patient complaint to start an investigation.

If you would like us to review your website, use the contact us page.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

“Simplifying HIPAA through Automation, Education, and Support”

The OCR and FTC are investigating online tracking technologies

Suze Shaffer August 1, 2023

We wrote about this back in December 2022, but the Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) has added an additional warning. The OCR has confirmed its active investigations nationwide to ensure compliance with HIPAA.

The OCR and the FTC are cautioning providers about the privacy and security risks when utilizing online tracking technologies. These may be integrated into websites or mobile apps. Depending on how they are created and set up, these technologies may be disclosing personal health information to third parties. Tracking technologies collect and analyze information when visitors use websites or apps. Most of the time, this information is shared directly with third parties and even track the visitor when they navigate away from the website or app.

Online tracking technology can be used for good, but patients should not have to sacrifice their personal information in the process. The OCR and FTC sent letters to 130 hospital systems and telehealth providers to emphasize the risks and concerns about the use of these technologies, such as the Meta/Facebook pixel and Google Analytics. These are just a couple that are known to track a user’s online activities. These tracking technologies gather identifiable information about visitors, usually without their knowledge.

The minimum necessary rule must be followed even with modern technology. This means only the minimum necessary information can be shared to complete the task, nothing more. The OCR enforces the HIPAA rules and will review all aspects of your compliance if they receive a complaint, or if you have a data breach.

The FTC’s role in is protecting the public from deceptive or unfair business practices. This includes unfair methods of competition, promotion, research, and education. Through FTC’s recent enforcement actions against BetterHelp, GoodRx, and Premom, the FTC has put companies on notice that they must monitor the flow of health information to third parties that use tracking technologies integrated into websites and apps. The unauthorized disclosure of such information may violate the FTC Act and could constitute a breach of security under the FTC’s Health Breach Notification Rule.

Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information—even when a third party developed their website or mobile app. When working with a website designer or marketing group, be sure to fully vet them for their HIPAA compliance efforts. Even if they have worked with other medical practices. Being HIPAA compliant is more complicated now with all the modern technology and they must jump through the same hoops as a medical practice. Just because they say it will help you with your practice, doesn’t mean it is acceptable under the HIPAA rules. Trust but verify!

Aris Medical Solutions has an online system called the HIPAA Keeper™, to help covered entities and business associates get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about actual HIPAA fines, click on our Education tab!

Business Associate fined for a data breach UNDER 500 patient records

Suze Shaffer June 30, 2023

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper™ System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

Could terminating an employee trigger an OCR investigation?

Suze Shaffer May 1, 2023May 2, 2023

We have been asked this several times, so we decided to write a notification about this subject.

When it is time to terminate an employee, it is never easy. Whether they are a short- or long-term employee, it can be difficult. Sadly, if you make a mistake you can end up with a complaint filed against you. These types of complaints can range from the wage and labor board, discrimination, or simply wrongful termination. This does not typically involve the Office for Civil Rights. However, if a disgruntled employee contacts the OCR to complain about ANOTHER issue, this could open the door for an OCR investigation. Best practice is to make sure you have proper HR policies in place alongside your HIPAA policies and procedures. Having an Employee Confidentiality Agreement is a good start to ensure your employees understand the requirements under HIPAA (which is included in our HIPAA Keeper™).

Now let’s talk about your employee manual. This is a must have for all organizations, small and large. This manual should have clear and concise guidelines so that employees understand the conditions of their employment and benefits they are entitled to. This should also include the hiring process and the termination of employment.

Here are some key areas that should be included in your employee manual:

Work eligibility – OIG exclusion requirements – Background checks (Random)
Employee classification- fulltime/ part time
Exempt and non-exempt definition
Hours of work including flextime
Lunch and rest breaks
Overtime
Vacation – Sick – General paid time off (bereavement, jury duty, military, etc.)
Payday – Payroll deductions- Wage garnishments
Expense reimbursements
Advances
Employee benefits – Health Insurance – Workers’ Compensation – Etc.
Employee conduct – Attendance – Punctuality – Personal grooming
Employee sanctions – Insubordination – Termination
Personnel records
Use of company property – Internet use – Email – Etc.
Patient and employee privacy
Drug and alcohol use testing

There are other areas that should be included. These are just what comes to mind at first. If you do not have a complete employee handbook, contact us and we may be able to recommend a company that can help you.

As with HIPAA, employee documentation is VERY important!

If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

OCR announces the formation of a new Enforcement Division

Suze Shaffer April 3, 2023April 3, 2023

Is more HIPAA Enforcement on the way?

The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division.

The newly established Strategic Planning Division will coordinate the OCR’s authorities to protect civil rights and health information privacy as well as expand data analytics and coordinate data collection across the HHS leadership.

“As a trusted advisor and leader of the newly established division, Luis Perez will direct the standalone Enforcement Division that will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps for all complaints we receive,” said Director Fontes Rainer. “This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”

The OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC).

The OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022.

There were approximately 33,660 related to health care. If you calculate this into 246 workdays (including vacation time), this equals to about 137 per day and 20 per hour! Of these, 717 were investigated, equating to nearly 3 per business day.

By the time you finish reading this blog you could be next!

Would the Office for Civil Rights open an investigation for:

Missing your Notice of Privacy Practices on your website, or missing a patient signature for it, probably not.
For an incorrect patient sign-in sheet, probably not.
Lack of no-surprise billing notice on your website, probably not.

Would the Office for Civil Rights open an investigation for:

Privacy complaint from a patient, YES.
Information blocking complaint from a patient, YES.
Report from a disgruntled employee, YES.

HOWEVER, one patient or disgruntled employee’s complaint opens the door for the OCR. Then, they will review ALL your HIPAA compliance efforts. Including the items listed above that they would not start an investigation with. With this new enforcement division, this has crossed a new threshold.

Is your practice at risk of being one of the three to be investigated tomorrow? The best way to avoid a HIPAA desk audit is through proper HIPAA documentation.

Most investigations can be avoided by supplying the OCR with proper documentation! How well do you trust yours?

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Audits and Penalties have been requested to increase in 2023

Suze Shaffer March 1, 2023March 1, 2023

The Department of Health and Human Services (HHS) delivered their annual report to congress and noted there have been significant increases in HIPAA complaints and large breaches. They also noted that there have not been increases in appropriations during the same time frame. The Office for Civil Rights (OCR) requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress.

The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:

risk analysis and risk management
information system activity review
audit controls
access controls

The OCR Director Melanie Fontes Rainer stated, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”

Enforcement Process

The OCR is in charge of enforcing the HIPAA Rules. They start my investigating written complaints and conducting reviews to determine if the covered entity or business associates failed to comply with the HIPAA Rules. The OCR will only act upon complaints that meet certain requirements. These include:

The violation must occur after the HIPAA Rules have been required.
The complaint must be filed against an entity that is required to adhere to the HIPAA Rules.
The complaint must describe the activity that violated the HIPAA Rules.
The complaint must be filed within 180 days of the occurrence. The OCR may waive this requirement if the individual shows good cause for being unable to file within the time frame requirement.

The OCR must determine whether the complaint is eligible for enforcement action. If the case is not within the OCR’s jurisdiction, the case will be closed. If the complaint is eligible for enforcement action, the OCR often provides technical assistance to resolve the case without further investigation.

In addition, OCR’s compliance activities include conducting audits and providing education and support with the HIPAA Rules. When necessary, the OCR has authority to issue subpoenas to encourage cooperation with an investigation.

The OCR may also initiate a compliance review investigation when they learn that the breach was caused by the covered entity’s business associate and open a compliance review of the business associate.

Compliance Reviews

The HIPAA Rules provide that the Secretary may open compliance review investigations of covered entities and business associates based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity. Multiple complaints of the same or similar violations demonstrate systemic compliance deficiencies. These are typically investigated under one transaction for the purpose of achieving compliance.

Investigations

Once an investigation is initiated, the OCR will collect evidence through witness statements, interviews, requests for reports from the entity, and site visits. It is required by law that all entities involved must cooperate. If the event implicates criminal activity, the OCR may refer the complaint to the Department of Justice (DOJ). Keep in mind, if the DOJ declines the case, the OCR may review for potential civil violations and investigate the case.

Sometimes the OCR may determine there isn’t enough evidence to support the entity violated the HIPAA Rules. In these cases, the OCR will send a letter closing the case and explaining the results of the investigation.

In the cases where the OCR determines that the covered entity or business associate was not in compliance the OCR will generally try to resolve the case by obtaining voluntary compliance through corrective action which may include a resolution agreement.

Resolution Agreements

When the OCR discovers non-compliance due to willful neglect or where the scope and scope warrants additional enforcement action, the OCR will pursue a resolution agreement with a payment settlement amount. This also includes a corrective action plan (CAP). The OCR is willing to negotiate the terms of the resolution agreement and the payment amount may be reduced from the amount that they are actually liable for. The amount is based on the entity’s ability to pay, keep in mind, that may be quite different than what the entity thinks. Also, in most cases the resolution agreement includes the requirement to fix the issues and to be monitored for a period of time.

Civil Money Penalties (CMP)

If the entity involved is not able to reach a satisfactory agreement to resolve the issues or if the entity violates the resolution agreement, the OCR may pursue formal enforcement action. If a CMP is proposed the entity may request a hearing in which a Departmental administrative law judge decides if the CMP is warranted based on the evidence presented. Answering this is very important, if the entity does not request a hearing within 90 days of the OCR’s proposed determination, the OCR will issue a final determination and impose a CMP.

Audits

The HITECH Act requires HHS to perform periodic audits of covered entities and business associates to ensure they are compliant with the HIPAA Rules. These are known as random audits since they are not initiated by any incident.

The OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.

What this means is… make sure your compliance efforts are documented and organized to ensure you will survive an audit without penalties.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Right of Access – Time limit on Medical Records Requests

Suze Shaffer February 1, 2023April 3, 2023

When a patient or a patient’s representative requests a copy of medical records it is very important to act promptly. Currently you have 30 days to comply with this request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance. As of today, there have been 43 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K.

Another area that we must stress the importance of is disgruntled employees, patient complaints, and data breaches. Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!

One special note: If you use a Contact Us form on your website, you must use encryption on your website (https), to ensure the data transmitted is secure. Then you must review where these messages are delivered to and to which devices. Many website developers do not under the HIPAA rules and offer website features that may cause liability if not properly protected. Again, this also includes the devices utilized to receive the information and how this information is stored. If you do not receive very many of these messages, we recommend removing the liability.

In case you have not seen some examples of the fines, check out our Education Tab:

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA 2022-2023 Proposed Changes

Suze Shaffer January 3, 2023January 4, 2023

Happy New Year! As we look back on 2022, we noticed that the Office for Civil Rights (OCR) has really started enforcing the Patients Right of Access. To see a list of fines and resolutions agreements, check out our What are some of the actual HIPAA fines page.

Here is a recap of what you need to be aware of:

1. Information Blocking – Information blocking is a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI). This rule was created to promote the flow of patient data between providers, patients, and the developers of Health IT. This included electronic health information (EHR) providers. If an actor is found to “block” the flow of information, they can receive up to a $1M fine. It is important to note that The Cures Act established two different “knowledge” standards for actors’ practices within the statute’s definition of “information blocking.” For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.

There are two categories of exceptions and eight exceptions to this rule.

Exceptions that involve not fulfilling requests to access, exchange, or use ePHI.

a. Preventing harm

b. Privacy

c. Security

d. Infeasibility

e. Health IT performance

Exceptions that involve procedures for fulfilling requests to access, exchange, or use ePHI.

f. Licensing

g. Fees

h. Content and manner

Although this is not enforced by the OCR, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) is the agency that has authority to review claims of possible information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, the HHS OIG has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.

Between April 5, 2021 and November 30, 2022, there have been 560 submissions for information blocking and only 43 that did not appear to be a claim of blocking.

Remember, when a patient requests their information to be shared, do not say no, make sure you check with your technology vendors to see if it would be possible.

2. Recognized Security Practices – This is known as the Safe Harbor Act that was passed into law to encourage medical practices and business associates to implement best practices for cybersecurity. Organizations that have completed their HIPAA Security Analysis, reduced their risks, and documented their security practices are looked upon more favorably during an investigation for a data breach. Keep in mind that penalties will not be increased if you have not completed this process. Penalties will remain as the standard permits and the entity’s ability to pay.

3. Charges for medical records – If your office charges for medical records, HIPAA requires your office to post these charges and to notify patients requesting records of the charges.

4. Hospitals must post clear and accessible pricing information online about items and services they provide in two ways. 1. As a comprehensive machine-readable file with all items and services. 2. In a consumer-friendly format that is shoppable.

5. Good Faith Estimates – All facilities must post the HHS Notice, “Right to Receive a Good Faith Estimate of Expected Charges,” on the provider’s or facility’s website, in the office, and onsite where scheduling or questions about the cost of items or service occur. The information must be prominently displayed and published in accessible formats and presumably available in languages spoken by the patient.
The provider or facility must provide a good faith estimate of expected charges for items and services to an uninsured, self-pay individual, or an individual who does not wish file a claim with their insurance company.

6. No Surprise Billing aka as balance billing. Health care providers and facilities must provide an easy-to-understand notice explaining the applicable billing protections, who to contact if the patient has concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (patients must receive notice of and consent to being balance billed by an out-of-network provider).

7. HIPAA updates for 2023 – There are many proposed changes, but the final dates and enforcement dates have yet to be determined. A few notable changes that have been proposed are:

a. Adding the right to inspect their PHI in person, permit taking notes, or taking pictures of their PHI

b. Reducing the covered entities time from 30 days to 15 days to a request for access to PHI. The covered entity will have an opportunity for an extension of no more that 15 calendar days (from the current 30 days extension)

c. Reducing the identity verification burden on individuals exercising their access rights

d. Specifying when electronic PHI (ePHI) must be provided to the individual at no charge

e. Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy

f. Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual

g. Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access

There are many others, and we are watching all of them. The effective date of a final rule will be 60 days after publication. Covered entities and their business associates would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.

The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.

The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus proposes a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.

Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Scammers never sleep

Suze Shaffer December 14, 2022December 14, 2022

Scammers are always busy trying different tactics to get to your wallet. During holidays is no different. Bad actors use the holidays and people’s goodwill to fool them into giving. Be careful of offers that are too good to be true, and only shop on reputable sites. Some emails look legitimate, and you must look closely at them to see that they are not. First look at the “from” email address, not just the name from whom it is coming from. The difference may be as subtle as a “.” in between the name or website address. Secondly you can view the message details and from there find where the email IP address originated from. In Outlook, click the three “…” in the upper right corner of the message, scroll down to “view”, then “view message details”. There are many IP lookup sites on the internet. Many of these scams are generated from overseas. As always, do not click on links in emails. Open your browser and search for the site or product from there.

Another method criminal target is through texts messages or voice mails. Again, do not click on links or call the number they send. Look it up! If it appears to be from your bank, call your bank. If it appears it is from your credit card company, call your card company. Our phones now are directly linked to our personal information and can be hacked as well.

The Social Security Administration warns people that fraudsters are calling/texting and asking people to verify information to receive the 2023 cost-of-living increase for people who receive benefits. The increase is automatic and does not need to be verified. Please advise everyone you know that receive these benefits, especially the elderly who fall for these scams. Remind them, scammers typically say there is a problem with their account (social security, missed jury notice, credit card, etc.) and will try to pressure them to act immediately. Then you must pay in a specific manner, and sometimes will want to remain on the line while making the transaction. Even if this means driving to a store to buy gift cards.

If you receive a questionable call, text, or email, hang up or don’t respond and report it at oig.ssa.gov/report. Scammers frequently change their methods with new tactics and messages to trick people. Stay up to date on the latest news and advisories by following SSA’s Office of the Inspector General on LinkedIn, Twitter, and Facebook or subscribing to receive email alerts.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”