PIH Health, Inc. (PIH), a California health care network, has agreed to pay the OCR $600,000. The violations stem from an email phishing attack that exposed unsecured electronic protected health information (ePHI).
The settlement resolves an investigation that OCR conducted after receiving a breach report from PIH in January 2020. The breach report stated that in June 2019, a phishing attack compromised forty-five of its employees’ email accounts, resulting in the breach of 189,763 individuals’ unsecured ePHI. PIH reported that the ePHI disclosed in the phishing attack included affected individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, diagnoses, lab results, medications, treatment and claims information, and financial information.
“Hacking is one of the most common types of large breaches reported to OCR every year,” said OCR Acting Director Anthony Archeval. “HIPAA-regulated entities need to be proactive and remedy the deficiencies in their HIPAA compliance programs before those deficiencies result in the impermissible disclosure of patients’ protected health information.”
Under the terms of the resolution agreement, PIH has agreed to implement a corrective action plan that will be monitored by OCR for two years and paid a $600,000 settlement to OCR. Under the corrective action plan, PIH is obligated to take definitive steps toward resolving potential violations of the HIPAA Rules, including:
Conducting an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis.
Developing, maintaining, and revising, as necessary, its written policies and procedures to comply with the HIPAA Rules.
Training its workforce members who have access to PHI on its HIPAA policies and procedures.
Phishing attacks continue to pose a significant threat to the healthcare industry, exploiting human error to gain unauthorized access to sensitive patient data. These attacks typically involve deceptive emails or messages that trick staff into revealing login credentials, clicking malicious links, or downloading malware.
Due to the highvalue of protected health information (PHI) on the black market, healthcare organizations are prime targets for cybercriminals. Successful phishing breaches can lead to widespread data exposure, operational disruption, regulatory penalties, and loss of patient trust.
In recent years, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has intensified enforcement actions against healthcare entities that fail to implement adequate phishing defenses, such as employee training, risk assessments, and email security tools. As phishing tactics grow more sophisticated, healthcare organizations must prioritize a layered cybersecurity approach to protect against these persistent threats.
Securing email accounts is critically important, especially in sectors like healthcare, where sensitive information is routinely exchanged. Email is often the gateway to an organization’s internal systems and can serve as a direct path for cybercriminals to access protected health information (PHI), financial data, and other confidential content. Unsecured email accounts are particularly vulnerable to phishing attacks, credential theft, and unauthorized access, all of which can lead to data breaches, regulatory fines, and reputational damage.
What to do to prevent a Breach?
Implementing strong passwords, multi-factor authentication (MFA), encryption, and regular staff training are essential steps in safeguarding email communications. By fortifying email security, organizations not only reduce the risk of cyberattacks but also demonstrate a proactive commitment to protecting patients, and organizational data.
OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to mitigate or prevent cyber-threats:
Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
Integrate risk analysis and risk management into business processes regularly.
Ensure audit controls are in place to record and examine information system activity.
Implement regular review of information system activity.
Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
Encrypt ePHI to guard against unauthorized access to ePHI.
Incorporate lessons learned from incidents into the overall security management process.
Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659.2467 or use the contact us form.
In 2025 and beyond there are many HIPAA updates that are occurring in the healthcare arena. Staff education and patient privacy are front and center of the OCR. You can be fined for HIPAA violations and be required to implement a corrective action plan that will be monitored by OCR for three years. There are significant changes to the HIPAA privacy rule and the security rule.
Notice of Privacy Practices must be updated to include Health Information Exchanges (HIEs).
Reproductive healthcare and how you protect privacy (this may change).
Substance Abuse and Mental Health Services Administration updates.
A Patient’s right of access may be reduced to 15 days, and immediate in some cases. Patient right of access has been a major problem with complaints resulting in fines from $3,500 to over $250K.
New patient authorization attestation requirements.
The posting of estimated fee schedules may be required.
Information blocking guidelines, this includes a patient’s request for their records in the format of their choice.
Non-discrimination notices with specific terminology (in 15 languages) on websites and in offices.
Language assistance notice (and staff training on the tools utilized).
Conscience rights notice.
Website accessibility requirements. The ADA requires that people with disabilities have equal access to information. An inaccessible website, mobile app, or kiosk can exclude people just as much as steps at an entrance to a physical location.
The updated HIPAA training requirements for 2025 bring several significant changes. The most notable is the emphasis on cybersecurity.
Cybersecurity awareness is a critical component, and employees must be trained in recognizing and responding to potential cyber threats. This includes:
understanding how to identify phishing attempts,
using strong passwords, and
implementing multi-factor authentication.
Data security proposed changes:
Healthcare providers and their business associates (BAs) may be required to implement enhanced administrative, physical, and technical safeguards for electronic protected health information (ePHI). This includes requiring written procedures for restoring electronic information systems and data within 72 hours. Adding specific compliance time periods for many of the existing requirements. Providers could be required to conduct a compliance audit at least every 12 months and to verify BAs that they have implemented the technical safeguards required under the HIPAA Security Rule. Keep in mind, all entities involved with ePHI must comply with the HIPAA security rule including subcontractors of BAs, this enhancement refers to reviewing/auditing every year.
Healthcare providers may be required to conduct more frequent and thorough risk assessments of their IT infrastructure. The requirement of maintaining an asset inventory and a network map, that illustrates the movement of ePHI throughout the organization’s environment. This is already a requirement under the HIPAA security rule, but the proposed rule will require this to be updated on an ongoing basis, or at least once a year. Also, reviewing their Security Incident Response Plans and documenting how employees are to report suspected or known security incidents and how the entity will respond.
Medical practices would need to utilize anti-malware/ anti-virus systems including remote users. Require vulnerability scanning every 6 months, and penetration testing once a year.
Healthcare providers would need to update legacy systems, since outdated legacy systems are seen as a significant vulnerability. Under the proposed updates, entities may face stricter obligations to retire or upgrade unsupported software.
ePHI would require higher levels of encryption both at rest and in transit and multi-factor authentication (MFA) will need to be utilized, along with continuous network monitoring to detect threats in real time.
Keep in mind, cyber-security is essential for patient privacy and safety.
The Healthcare and Public Health Sector Coordinating Council (HSCC)Cybersecurity Working Group (CWG) is working with the Trump Administration to initiate a one-year consultative process with leaders of the healthcare sector to negotiate sound cybersecurity practices that all healthcare stakeholders can be held accountable to.
HSCC Cybersecurity Working Group Executive Director Greg Garcia said “The healthcare industry is now targeted by more cyber-attacks than any other industry sector. If our healthcare owners and operators are to keep up with the evolution of healthcare delivery, technology innovation, and adversarial cyber threats across our vastly interconnected ecosystem, we need our government as a partner in this mission.”
Those involved in cyber-security in the healthcare space understand the need for greater protection but also believe there are many moving parts that need to be coordinated in order to be effective.
Although these proposed changes are being negotiated, the best practice is for all entities involved with patient data to conduct a system wide risk analysis and review how data flows in and out of your network. Once this has been determined, you can address cyber-security for your particular network. This is not a one size that fits all. This is where you need a partner that specializes in data security and not an average IT company. This sounds like a lot of work, but not when you have the right partners in place.
Summary
Our HIPAA Keeper™ online compliance system has everything needed for HIPAA compliance documentation. Plus, we work with business partners that are HIPAA compliant as well. So, whatever your need is, we have you covered!
“Simplifying HIPAA through Automation, Education, and Support”
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since HIPAA violations can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
In today’s digital age, scams and hackers have become increasingly sophisticated, targeting individuals and businesses alike with tactics that are harder to detect and easier to fall for. From phishing emails and fake websites to ransomware attacks and identity theft, the threats are constantly evolving. As our reliance on technology grows, so does the importance of understanding how these cybercriminals operate and what steps we can take to protect ourselves. This article dives into the world of online scams and hackers, uncovering their methods, motivations, and most importantly, how to stay one step ahead.
Facebook Scammer
One of the recent disruptors is when your Facebook account is hi-hacked, and you are locked out of your account, and you can’t remove the post. This has happened to more than one of my friends. This is what it sounds like:
They state they need to sell personal items for a family member due to the family member going to a care facility or having a medical condition. They list SEVERAL valuable items at very low cost, and ask for a “REFUNDABLE” deposit, to hold until they “return” and you have a chance to inspect the item. They state they will be out of town for a couple of weeks and are sad to have to clear out the home of this beloved person. They restrict comments, so you can’t warn anyone about this scam. They ask interested people to contact them through messenger, whereas they will give you a Zelle account. Keep in mind, this transaction CANNOT be reversed, and you are at the mercy of a scammer to return your deposit, which they WILL NOT. Think about this, the people who are “purchasing” these items think they are buying from YOU.
For those who are looking to buy from Facebook (or any other online platform) always remember, if a price is too good to be true, it probably is! NEVER Zelle or Venmo anyone you do not know, or for something like this. Insist on going to look at the items in person BEFORE any transaction is made. If they refuse, it is a scam.
Since the major data breach of 4 billion people, this information has been sold on the dark web. This information includes EVERYTHING needed to impersonate another person. We already sent this warning out last year, but feel the need to repeat…
Change passwords
Change answers to security questions
Enable multi-factor authentication on every account that offers this
Make sure your cell phone or email account that is used for the second authentication is secured with multi-factor authentication. Otherwise, if they hack this account, they will receive the “second” authentication instead of you!
Bank / Credit Card Scams
Scammers can spoof your banks phone number. When they call, they will say there has been a suspicious amount charged to your account. They will have your card number, your address, everything EXCEPT the code on the back of your card. If they ask you to verify give them the number to verify, they are a scammer.
If you receive a text message from your “bank”, referring to the same situation or to verify your account. Do not click on any links in the text message or email, call your bank with the number you have, or log in from your browser.
Never say “Yes”
When a person calls you and asks – can you hear me, never say yes. They may be recording you so they can make false purchases. Instead, reply “Why are you asking”. If they ask is this Sally Smith, ask them, “why are you asking”. This happened to me a couple weeks ago, they said: We are offering a free subscription for your type of Industry, would you like a free subscription, I asked, what kind of industry are you offering. They said we have many different industries. I replied, BUT you said you had a subscription in MY industry. They hung up!
Jury Duty / Arrest Warrant
These scammers threaten you with arrest if you do not pay the “fee” for missing jury duty or an outstanding ticket. They typically ask for a gift card, but with all the new scammers using Zelle, I am sure that will be next.
Investment Scams
With all the talk about Crypto being the next big thing, scammers are trying to capitalize on this. These scams usually start off by someone on social media offering to show you how to invest in cryptocurrencies. Again, if something sounds too good to be true, it probably is. Such as, guaranteed big returns, no risk, and the request for money to be wired or using a Zelle type system.
Renewal / Update Payment Scams
We see many of these emails and text messages targeting consumers from commonly used stores and banks. They use their store/ bank logo and add some sort of subscription ID or the last 4 digits of a credit card. Check your own renewal date and the credit card information. They are betting you won’t check and just click. When you click on the link within the email/text, it could be a virus or a fake URL to gain your login credentials. They also include the “unsubscribe” at the bottom, trying to make this look real. Sometimes the link is really connected to the store, other times, it will take you to a “fake” site and ask for your login credentials.
Job Posting Scams
This is common during the holidays when people are looking for some extra money, but this can happen at any time. They post jobs on social media sites or sometimes they will contact you via email or a text message. The message usually starts off with referring to an ad you answered. They may use a fake company or impersonate a well-known firm. These scammers offer great pay or state the compensation will be much more lucrative than it really is. Sometimes they offer free gifts if you are a mystery shopper. Keep in mind, there are legitimate companies offering jobs, however, never pay for upfront training, interviews, lists of job opening, or mystery shopping opportunities.
Also, never accept a deposit from a company when they ask you send back a portion of it.
Remember, legitimate companies do not ask for money from potential employees or salespeople.
What can you do?
If you receive a scam, report it to the FTC (Federal Trade Commission). Although they will not update you on the progress of your report, they share this information with law enforcement to help with investigations. Together, we can help stop this criminal activity and warn others!
Feel free to share this with others. The world wide web (WWW) is the new wild wild west!
Stay safe and alert out there.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
The Health Insurance Portability and Accountability Act (HIPAA) has long served as a cornerstone in protecting the privacy and security of individuals’ health information. As digital technology continues to evolve, so do the ways in which health data can be collected, shared, and potentially exposed. Recently, there have been significant updates concerning the use of online tracking technologies—such as cookies, web beacons, and pixels—particularly when used by HIPAA-covered entities and their business associates. These updates clarify how existing HIPAA regulations apply in the digital landscape, emphasizing the need for transparency, patient consent, and robust safeguards when handling protected health information (PHI) online.
These updates may be good news for healthcare
A federal judge in Texas ruled that the use of third-party online tracking technologies on hospitals’ public-facing web pages was unlawful. District Judge Mark Pittman in Texas sided with the American Hospital Association (AHA), the Texas Hospital Association, Texas Health Resources and United Regional Health Care System in his ruling that found the Department of Health and Human Services overstepped its authority with the 2022 guidance.
The lawsuit specifically argues that HHS expanded HIPAA’s definition of “individually identifiable health information” beyond its statutory authority. Also, it calls for the portion of OCR’s guidance addressing unauthenticated web pages to be invalidated.
This past March, HHS updated its guidance on the use of third-party web trackers to exclude certain types of website visits from meeting its criteria for protected health information (PHI) disclosures. The AHA contended the revised bulletin was still unlawful, and Judge Pittman agreed in his ruling.
Keep in mind, this milestone verdict comes from hospitals and larger entities rather than small to medium sized practices. Whereas, they have more financial strength.
HHS / OCR back tracks and updates guidance
On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released updated guidance on the use of online tracking technologies by HIPAA-covered entities and their business associates. This update clarifies how HIPAA applies to tools like cookies, pixels, and web beacons used on websites and mobile apps.
Key Points from the Updated Guidance:
Definition of PHI in Online Tracking: OCR emphasizes that individually identifiable health information (IIHI) collected through tracking technologies is considered protected health information (PHI) under HIPAA. This includes data such as IP addresses, device identifiers, and browsing behavior when linked to an individual’s health care or payment for health care. Even if the individual does not have an existing relationship with the entity, such information is still regarded as PHI.
Use on Authenticated and Unauthenticated Webpages: The guidance distinguishes between authenticated webpages (requiring user login) and unauthenticated webpages. For authenticated pages, any tracking technology that collects PHI must comply with HIPAA regulations. For unauthenticated pages, if the information collected can be linked to an individual’s health care or payment, it is also considered PHI.
Business Associate Agreements (BAAs): Disclosing PHI to third-party tracking technology vendors without a valid HIPAA authorization or a business associate agreement (BAA) is considered a HIPAA violation. Entities must ensure that any sharing of PHI complies with HIPAA’s Privacy Rule requirements.
Enforcement and Compliance: OCR has indicated that it will prioritize compliance with the HIPAA Security Rule in investigations related to online tracking technologies. Covered entities are advised to conduct thorough risk assessments, train staff, and implement appropriate technical safeguards to ensure compliance.
This updated guidance underscores the importance of safeguarding PHI in the digital realm. HIPAA-regulated entities must carefully assess their use of online tracking technologies, ensuring compliance with privacy regulations to protect patient information.
Google Analytics
Removing Protected Health Information (PHI) from Google Analytics is a critical step for HIPAA-covered entities to ensure compliance with privacy regulations. Since Google Analytics is not a HIPAA-compliant service and does not sign Business Associate Agreements (BAAs), any transmission of PHI through its platform constitutes a HIPAA violation. To avoid this, organizations must take proactive measures to prevent PHI—such as names, IP addresses, medical conditions, appointment details, or any data that can be tied to an individual’s health—from being captured by tracking scripts. This often involves disabling data collection on sensitive pages, using robust filtering techniques to scrub URLs of identifiable information, and configuring analytics tools to anonymize IP addresses and exclude user-specific identifiers.
By auditing their tracking implementations and employing privacy-centric alternatives, healthcare organizations can maintain valuable analytics insights without compromising patient privacy.
Analytics Alternatives
There are some Google Analytics alternatives, but not all of them give prices. When searching for these services, be very careful. Nefarious characters are going to try and trick you into offering a too good to be true service. Criminals are looking for new ways to gain access to patient data.
Let us know if you would like us to review any particular service or if you have any questions. We are here to help!
Feel free to share this article with your colleagues. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our online compliance system has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you on every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Most people in healthcare have been affected by the Change healthcare cyberattack. Scams have hit a new level, and you must be more diligent than ever before. Scams can be spotted, but you must look closely. A scam can quickly turn into a data breach. I recently conducted a HIPAA security officer training and reminded them of some of the threats that destroy your computer systems, both at work and at home. I watched “The Beekeeper” movie over the weekend. This made me change our Security Notification for this month. If you like action packed, good guy gets even, this is a great movie. This movie is about an email scam and revenge. If you are a Jason Statham fan, you will like this movie!
Here is the scenario:
Your computer gets a huge alert and says your computer is locked, you have been hacked, your email, bank accounts, passwords, etc. were compromised. They will give you a phone number to the “help desk”. You call the number, they “help” themselves and empty your bank account. Don’t call the number they give you, look it up yourself. DO NOT use a customer service or help desk number from a Sponsored Ad. Some scammers will pay for an ad to get to the top of Google. Most times you just need to reboot to clear the screen. DON’T click on anything in the warning. It is best to contact your IT company first. If you are home and can’t get in touch with someone, you may need to use Ctrl, Alt, Delete to shut your computer down. Then run a virus scan when you boot back up. Whatever you do, do not pay anyone, anything until you verify the validity of the situation!
Scams in text messages:
There are many versions to an email like this, they also come in text messages, and voice mails. Scams are hitting new levels every day. Some want you to click on a link, others want you to call the number they provide. Never click on a link, or call the number listed in the text, until you verify the text is valid.
Other email scams:
We have been saying for years, DO NOT CLINK ON LINKS. When you receive an email from your bank, IRS, post office, FedEx, etc. Look closely at the “from” email address. Many times, you can spot the fake address. It could be something as simple as a “.” In the URL address. Also, who it is addressed to, sometimes it is someone else. They do this so you will reply to let them know they have the wrong person. Again, this is a tactic from scammers to see if you will answer. If there is a link, they want you to click on, hover over it instead. It may take you to a completely different site. This could infect your computer or look like where you are supposed to go, only to lure you into entering your login credentials.
Phone call scams:
Scammers can spoof legitimate agencies like the power company, IRS, and even the police department. Never pay for any “immediate” requirements. This includes the threat of your power being shut off, IRS payment due, or paying a penalty for missing jury duty. These are just SOME of the examples these criminals are using.
Online marketplaces:
Scammers also target people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding their lost pet.
These scammers contact you and say they want to buy the item you’re selling — or that they found your pet. However, before they commit to buying, or returning your pet, they typically say they’ve heard about fake online listings and want to verify that you’re a real person. Or they might say they want to verify that you’re the pet’s true owner.
They send you a text message with a Google Voice verification code and ask you for that code. If you give them the verification code, they’ll try to use it to create a Google Voice number linked to your phone number. (Google Voice gives you a phone number that you can use to make calls or send text messages from a web browser or a mobile device.) The scammer might use that number to rip off other people and conceal their identity.
Sometimes these scammers are after a Google Voice verification code and other information about you. If they get enough of your information, they could pretend to be you to access your accounts or open new accounts in your name.
No matter what the story is, don’t share your Google Voice verification code — or any verification code — with someone if you didn’t contact them first. That’s a scam, every time. Report it at ReportFraud.ftc.gov.
What can you do?
When you receive an email, text, or phone call, you should call your bank or the company to advise them of what happened. If they are doing this to you, they are doing this to MANY others. Also, you can report this to the Federal Trade Commission (FTC). The FTC does not resolve individual reports, but your report will be entered in the FTC’s Consumer Sentinel database and will be available to federal, state, and local law enforcement across the country.
If someone has clicked a link or opened an attachment that downloaded harmful software:
Contact your IT department to update your computer’s security software.
They will run a scan and delete anything it identifies as a problem.
If you think a scammer has your information, like your Social Security, credit card, or bank account number:
Go to identitytheft.gov for steps you can take based on what kind of information was lost or exposed.
If you gave your username and password to a scammer:
Change your password right away. If you use the same password for other accounts or sites, change it there, too.
If someone calls and offers to “help” you recover money you have already lost:
Don’t give them money or personal information. You are probably dealing with a fake refund scam.
Scammers are getting bolder and more brazen. It is up to us to stay diligent and to stay safe.
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Preventing a data breach can feel like a daunting task. However, a well-educated staff is your first line of defense. Although nothing is failsafe, there are many things you can do within your practice to prevent a data breach. We covered this last year, but I thought it might be time for a reminder with the latest breach from Change Healthcare.
Hacking/IT incidents remain the largest category comprising of 77% of the reported breaches. Network servers continued as the largest category by location for breaches involving 500 or more individuals at 58% of reported large breaches.
Many of these start from an unsuspecting employee that clicks on link or shares information before it has been verified. Most attacks begin from a phishing email, text, or a visit to a website. Once this occurs, then many times you are infected with a virus, malware, or ransomware. When this happens, your systems may be frozen, and a DOS (denial of service) begins. Let’s review how to prevent a data breach:
Emails:
What does a fake email may look like? First, they are going to look “real” until you take a closer look. Pay attention to the “from” email address. This is the most common place to start. Most email addresses will have a name you are familiar with, but the URL will be different. For example: sally@email.bankofamerica.com. So, look for anything that is “slightly” different. Then, if they want to click on a link, hover over the link to see if it is really for what they are proposing. I received an email from my “bank” asking me to “Finish the Do-To-List”. I knew I hadn’t started any such list and I hovered over the link. It was to a completely different website. I reviewed the message details and looked up the IP address, it was from Spain. My bank is not in Spain! If you would like to learn more about reading your message details, reply to this email.
Text Messages:
Text messages are somewhat the same. Look at the top of the message and review who it is from. Most of these will either be from a phone number or an email address that is not from the actual company. NEVER click on any link or call the number in the message. If you receive a message about a purchase and it states you must click to decline, DON’T! Call your bank or credit card company to verify. You must be very diligent with these messages; they try to spoof your bank or card company’s email address by adding something like this: stop@fraud.bankofamerica.com.
Websites:
Websites can be infected with malware, a virus, or redirect the information you enter. Again, it is very important to look at the URL closely before entering any credentials. When visiting unknown sites, you take the risk of being infected. This is difficult to comprehend since we all like to “surf” the web. Many recipe sites have been known to have malware since people do not maintain security on older sites. If you are going to surf, you MUST have very good anti-virus / anti malware software. I am currently using Bitdefender Total Security. When I try to go to a website and the credentials of the site do not match, my software will NOT let me go to the site unless I enter my password for my software. Your IT vendor may utilize something like this. Websites that have not been maintained or have been hacked can present all kinds of problems. Preventing a data breach means that staff members should NOT use their work computers for surfing!
Man-in-the-middle:
Another type of threat is when information is intercepted without a person knowledge, this is commonly referred to as the “man in the middle”. When a person uses a public wi-fi system, a nefarious character can spoof a legitimate connection and steal information. Depending on the type of activity, a virus or malware could be placed on the device and brought back into the office. This could in turn infect your network.
Zero-day attacks:
Then, there are zero-day exploits that happen when hackers uncover a vulnerability in a system and attack. These are usually widespread and can be all over the world. Developers must work fast to create a patch to correct this deficiency. In the meantime, your systems could be down or destroyed. This is why it is critical to maintain a backup that is not connected to your network.
Ransomware attacks are a real problem and not just for healthcare but for everyone. It has gone up 70% in just one year. Think about losing everything on your business network or your home computer. It happens, so all these recommendations are for your personal use as well.
The Office for Civil Rights (OCR) released their breach report to Congress, below are a few highlights.
The “OCR’s Reports to Congress provide useful information for everyone on trends in HIPAA complaints and breach reporting,” said OCR Director Melanie Fontes Rainer. “Our health care systems should take note of these trends and address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. My staff and I stand ready to continue to work with Congress and the health care industry to drive compliance and protect against security threats.”
The HHS 2022 Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance identifies the number of complaints received. Some highlights include:
OCR received 30,435 new complaints alleging violations of the HIPAA Rules
OCR resolved 32,250 complaints alleging violations of the HIPAA Rules
OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one complaint investigation with a civil money penalty in the amount of $100,000
OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.
Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
Common online tracking technology that could lead to a HIPAA violation should be at the top of all healthcare providers to “know” list.
I probably sound like a broken record by now, however, this is a VERY important topic! Many states are implementing their own set of privacy rules and using online tracking is dangerous in healthcare.
Here is a refresher on what is online tracking technology. Tracking technology collects data from website visitors and many times, follows that visitor around the internet. They serve an important purpose for the website owner. It can give them useful information about what a visitor is looking for, how long they stay on a page, and where they go after they leave your site. In the business world, that sounds harmless. Marketers are just trying to make websites more appealing and increase revenue. In the healthcare field, that can be considered a HIPAA violation. Most medical practices do not even know these trackers on their website. It is extremely important to audit your website and make sure the company you utilize for maintaining your website, marketing, and hosting understands HIPAA.
There are dozens of trackers, but we will cover the most common that we have encountered:
Google
Google Analytics
Google Ads
Google Maps
HotJar
HubSpot
YouTube
Vimeo
LinkedIn
TheTradeDesk
The most common of all trackers is Google. They have a few different “versions”, like Google Analytics, Google Ads, and Google Maps. You need to understand how this works because they all can lead to problems because these trackers are not HIPAA compliant. Google Analytics collects personal identifiers about your website visitors by default. Google ads follow visitors around the internet. If you find “doubleclick” in any part of a URL, that is also related to Google ads! There are others, but this is the most common marketers use to track sales conversions. Google maps, of course tracks where the visitor is located to take them to your location. This could be a violation if this is located on the same page as a scheduler or portal. You may be in the clear if there isn’t any other health information located on that page. Caution should be used when using Google maps. Many practices simply write out directions from common intersections or nearby towns.
Please note that even if the individual that visits your website is NOT a patient, the OCR considers them as a potential patient and may become a patient at some point in the future, and therefore their data could be considered PHI. The OCR and the FTC have specifically stated that Google Analytics and Google Ads can cause HIPAA violations. You will need to remove the information that is collected BEFORE it is shared with Google, or you must utilize a third-party to prevent Google from having access.
Hotjar is a Google competitor and states they are easier to use. They offer two types of analytic tools. Heatmaps and session recordings. They offer a “free” version, but remember when a service is free, you are usually the item for sale. Although they promote that they do not collect IP addresses and emails, it is unclear if they collect any other personal data. They advise new users to login into their Google account to get started, so that is a red flag for us.
HubSpot is popular because it is a CRM that is linked to your website. They state they have robust security in place, but they will not sign a BA agreement. Therefore, they are not HIPAA compliant. Their terms of service state that healthcare entities should NOT use HubSpot. We have read that it can be made HIPAA compliant, but this would still put you on notice with the OCR and FTC.
Since Google owns YouTube, this is another platform that sends out alarm bells. Many practices use video on their website that is hosted on YouTube. This could contain PHI and then YouTube would have access to personal identifiers. Unfortunately, this also means you are sharing PHI with Google. Again, this is a HIPAA violation. You may be able to have the patient sign an authorization that details what information is going to be shared and explain, even if they decide later, they want it removed, the original information may be retained online indefinitely. This is a slippery slope though.
Speaking of videos, this brings me to Vimeo. This is another video hosting platform. They have several “versions”, so just be aware of any URL that has Vimeo in it. Keep in mind these embedded videos collect user information, same as YouTube and shared with Vimeo. The same precautions must be applied.
If you must use videos, it is recommended to find an alternative hosting platform that will sign a BA agreement. I know this could be a long process, but you need to be sure patient data is not being shared!
Facebook is another one we have seen a lot on medical websites. They are another entity known to share information across multiple platforms. Meta, who is the parent company of Facebook, uses a Pixel as their tracking device. The “Meta Pixel” is a small code that is used to track information across Facebook and Instagram, and any other systems they choose. Have you ever been on one platform, only to see Ads on another about something you watched or read? Meta pixels track visitor actions, and this helps put ads in front of similar visitors to improve advertising conversions. The OCR and FTC have also named Meta/Facebook as being non-compliant.
LinkedIn has been known to be a professional platform. Many healthcare providers have chosen to have a presence on LinkedIn over Facebook. They too use trackers; this one is called the “Insight Tag”. They have several different URLS, but they all use trackers. This tracker has the ability to follow LinkedIn users on your website and monitor what pages are viewed and if any actions are taken. Originally, this was intended for visitors looking for a job. If this is placed properly, and no health information is located on that page, this is a low risk of a violation. Make sure this tracker is not located on your entire website. This tracker works like the rest of social media trackers and puts you at risk of violations if not installed properly.
TheTradeDesk tracker is difficult to spot since some of their URLS do not use this name. Watch for adsrvr in the URL. They call their tracker the “Universal Pixel” since it allows advertisers to target users on digital platforms, streaming devices, and podcasts. This platform collects a lot of data from your website! This includes demographics, browsing history, and even conversion stats. This all can lead to PHI being shared with them. It is not recommended to use this platform if you are a healthcare provider since they can load other ad pixels randomly on your website. This can put your practice at even more of a HIPAA violation.
None of these platforms will sign a Business Associate Agreement (BAA). I have heard of a company that can help with all of this, but they are not affordable for many providers. If you would like information about them, please contact us. I will continue to search for alternatives so you can still market your practice without fear of HIPAA violations. Until then, we recommend removing all trackers.
Let us know if you would like us to check your website. Feel free to share this information with your colleagues. We want to help as many practices as we can since the fines can be devastating. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
The 2024 HIPAA and other compliance updates are included in the Office of the Inspector General (OIG) General Compliance Program Guidance (GCPG) for healthcare providers.
Although this compliance is not anything new, they have added this guidance to assist the health care community. This Compliance Program entails more than HIPAA. It is recommended after reviewing this summary that you review the Program Guidance in full.
Similar to the HIPAA Security Rule, the GCPG repeats certain information. This is because OIG recognizes that users may read, or may later reference, specific sections only, and not the whole document. Therefore, relevant information may be included and repeated in multiple sections.
The GCPG applies to all individuals and organizations involved in the health care industry. The GCPG addresses the seven elements of a compliance program. They have adaptations for small and large organizations. They anticipate updating the GCPG as changes in compliance practices or legal requirements.
Starting in 2024, the OIG will be publishing industry specific CPGs (ICPGs) for different types of providers, suppliers, and other participants in the health care industry. ICPGs will be tailored to fraud and abuse risk areas for each industry. They will also address compliance measures that the industry participants can take to reduce these risks. ICPGs are intended to be updated periodically to address newly identified risk areas and compliance measures and to ensure timely and meaningful guidance from OIG.
Keep in mind, the OIG’s compliance plan is a resource for healthcare providers and does not imply that it is a complete compliance program. Every organization is different, and this is not a one size fits all system. This is very comprehensive, and the following is a summary. For the complete document, see the link below:
The Department of Justice (DOJ), OIG, the Centers for Medicare & Medicaid Services (CMS), and the HHS Office for Civil Rights (OCR), are charged with interpreting and enforcing these laws and regulations. These overviews are intended to be summaries only and they do not address every legal obligation that may be imposed on the health care community and affiliated partners. For example, this guidance and these legal overviews do not address State fraud and abuse laws. It is important to understand that following these laws is the right thing to do and violating them could result in criminal penalties, fines, exclusion from Federal health care programs, and the enforcement to pay back overpayments.
Federal Anti-Kickback Statute
This statute prohibits organizations that are involved in Federal health care programs from engaging in some practices that are acceptable in other business sectors. For example, offering or receiving gifts for past or future referrals.
The Federal anti-kickback statute can be described as intent based. It is a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration to entice the referral of an individual for the furnishing of, or arranging the furnishing of any item or service, that is reimbursable under a federal health care program.
Violation of the Federal anti-kickback statute constitutes a felony punishable by a maximum fine of $100,000, imprisonment up to 10 years, or both. Conviction also will lead to mandatory exclusion from Federal health care programs, including Medicare and Medicaid.
Physician Self-Referral Law (PSL) a/k/a Stark Law
This law prohibits a physician from making referrals for certain designated health services (DHS) payable by Medicareto an entity with which the physician (or an immediate family member) has a financial relationship, unless an exception applies, and its requirements are satisfied.Financial relationships include ownership and investment interests as well as compensation arrangements. For example, if a physician invests in an imaging center to which the physician refers Medicare beneficiaries for DHS, the PSL requires that the financial relationship satisfies all requirements of an applicable exception. If it does not, the PSL prohibits the physician from making a referral for DHS to be furnished by the imaging center and prohibits the imaging center from billing Medicare (or any individual, third-party payor, or other entity) for the improperly referred DHS.
The PSL is implicated only when all six of the following elements are present.
A physician
Makes a referral
For designated health services
Payable by Medicare
To an entity
With which the physician (or an immediate family member) or the physician organization in whose shoes the physician stands has a financial relationship (which could be a direct or indirect ownership or investment interest in the entity or a compensation arrangement with the entity).
When all six elements exist, the PSL prohibits a physician from making a referral for DHS to the entity with which they have the financial relationship unless an exception applies and its requirements are satisfied. It is important for entities that furnish DHS to have a method to keep track of, and review closely, their financial relationships with physicians who refer Medicare patients to them.
CMS’s regulations define certain categories of DHS by Current Procedural Terminology (CPT) and Healthcare Common Procedure Coding System (HCPCS) codes. CMS publishes an updated list of codes for the relevant DHS annually.
The civil False Claims Act provides a way for the Government to recover money when an individual or entity knowingly submits or causes to be submitted false or fraudulent claims for payment to the Government.
This Act defines “knowing” and “knowingly” to mean that a person, with respect to information—
has actual knowledge of the information;
acts in deliberate ignorance of the truth or falsity of the information; or
acts in reckless disregard of the truth or falsity of the information; and no proof of specific intent to defraud is required.
The False Claims Act defines “knowing” and “knowingly” to include not only actual knowledge but also instances in which the person acted in deliberate ignorance or reckless disregard of the truth or falsity of the information. This means individuals and entities cannot avoid liability by deliberately ignoring inaccuracies in their claims.
Filing false claims may result in liability of up to three times the programs’ loss plus an additional penalty per claim filed. Each instance of an item or a service billed to Medicare or Medicaid counts as a claim. Liability can add up quickly!
A few examples of health care claims that may be false include claims where the service was not actually rendered to the patient, is already provided under another claim, is up coded, or is not supported by the patient’s medical record. A claim that is tainted by illegal remuneration under the Federal anti-kickback statute or submitted in violation of the PSL is also false or fraudulent, creating liability under the civil False Claims Act.
The Affordable Care Act included a requirement that entities must report and repay overpayments to Medicare and Medicaid by the later of:
(A) the date which is 60 days after the date on which the overpayment was identified; or
(B) the date any corresponding cost report is due, if applicable.
If an entity identifies billing mistakes or other non-compliance with program rules leading to an overpayment, the entity must repay the overpayments to Medicare and Medicaid to avoid False Claims Act liability. Even if an entity makes an innocent billing mistake, that entity still has an obligation to repay the money to the Government.
Civil Monetary Penalty (CMP) Authorities
The OIG is authorized to pursue monetary penalties and exclusion through a variety of civil authorities. Most notably, the Civil Monetary Penalties Law (CMPL). Under the CMPL, the OIG can pursue assessments in lieu of damages, CMPs, and exclusion from participation in the Federal health care programs. With this authority, OIG can address a wide variety of improper conduct related to Federal health care programs and other HHS programs.The CMPL principally addresses fraudulent and abusive conduct. In addition to OIG’s CMP authorities that closely parallel the False Claims Act, the OIG has additional CMP authorities aimed at certain specific types of conduct unique to HHS and the Federal health care programs. For example, the “patient dumping” CMP.
While False Claims Act cases are pursued by DOJ on behalf of HHS in Federal court, CMP cases are administrative and pursued by OIG before an HHS administrative law judge. By statute, different categories of conduct result in different penalty amounts. Such as, false claims result in penalties of up to $20,000 per item or service falsely claimed, and improper kickback conduct results in penalties of up to $100,000 per violation.
This provides for the imposition of CMPs against any person who offers or transfers remuneration to a Medicare or State health care program that the person knows or should know is likely to influence the beneficiary’s selection of a particular provider, practitioner, or supplier for the order or receipt of any item or service for which payment may be made, in whole or in part, by Medicare or a State health care program.
There are exceptions to the definition of “remuneration” under this section. For any applicable exception to apply, each condition of the exception must be completely satisfied. The exceptions include:
nonroutine waivers of copayments and deductibles based on individualized determinations of financial need;
preventive care incentives;
items and services that promote access to care and pose a low risk of harm;
retailer rewards;
items and services tied to medical care for financially needy beneficiaries.
The Beneficiary Inducements CMP is different from the Federal anti-kickback statute and the corresponding anti-kickback CMP, but the Beneficiary Inducements CMP and Federal anti-kickback statute often prohibit overlapping conduct.
The Beneficiary Inducements CMP is a separate and distinct authority, completely independent of the Federal anti-kickback statute. It is narrower than the Federal anti-kickback statute and the anti-kickback CMP in several ways.
The Federal anti-kickback statute applies to remuneration to induce or reward referrals of an individual to a person for the furnishing of any item or service, and purchases of any good, facility, service, or item that is payable by a Federal health care program. In contrast, under the Beneficiary Inducements CMP applies to remuneration that is likely to influence a beneficiary’s selection of a particular provider, practitioner, or supplier for items or services reimbursable by Medicare or a State health care program.
Information Blocking
Under the 21st Century Cures Act the OIG has the authority to investigate claims that health information technology (IT) developers of certified health IT (including entities offering certified health IT), health information exchanges and networks, and health care providers have engaged in conduct constituting “information blocking.” A health IT developer of certified health IT, health information exchange, or network that engages in information blocking may be subject to CMPs of up to $1 million per violation.
It is considered information blocking when a provider engages in a practice and the provider knows that it is likely to interfere with, prevent, or materially discourage the access, exchange, or use of EHI. Information blocking does not include any practice that is required by law or that meets an exception.
Criminal Health Care Fraud Statute
The criminal health care fraud statute makes it a criminal offense to defraud a health care benefits program. The criminal health care fraud statute prohibits knowingly and willfully executing, or attempting to execute, a scheme to either:
(1) defraud any health care benefit program; or
(2) to obtain, by means of false or fraudulent pretenses, representations, or promises, any money or property from any health care benefit program.
The Government must prove its case beyond a reasonable doubt and prove that the defendant acted with intent to defraud; however, specific intent to violate this statute is not required for a conviction. DOJ, OIG, and other law enforcement partners have successfully used this statute to pursue defendants who orchestrate complex health care fraud schemes. Cases that involve violations of the criminal health care fraud statute also often involve complex money laundering, tax, and other associated financial criminal offenses. The penalties for violating the criminal health care fraud statute may include fines of up to $250,000, imprisonment of not more than 10 years, or both.
The Department of Health and Human Services Office for Civil Rights are responsible for administering and enforcing the HIPAA Rules. Which includes the Privacy, Security, and Breach Notification Rule.
The Security Standards specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to ensure, among other provisions, the confidentiality, integrity, and security of electronic PHI (ePHI).
The OCR and ONC created the HSR Toolkit to assist providers and business associates in determining their risks. The HSR Toolkit does not produce a statement of compliance. Organizations may use the HSR Toolkit in coordination with other tools and processes to support HIPAA Security Rule compliance and risk management activities. Statements of compliance are the responsibility of the covered entity and the HIPAA Security Rule regulatory and enforcement authority. By using Aris’ HIPAA Keeper™, this replaces the need to use this tool kit since our system includes the risk assessment and all policies and procedures. It is recommended to utilize a third party to audit your network to ensure that your data is secure.
Elements of a Compliance Infrastructure
Written Policies and Procedures should encompass the HIPAA Rules and areas that could cause fraud and abuse. Including areas in billing, coding, sales, marketing, quality of care, patient incentives, arrangement with physicians, other health care providers, vendors, and other potential sources or recipients of referrals of health care business.
All individuals are required to have access to your policies and procedures. Many entities maintain their code, policies, and procedures on an internal intranet site or use other electronic communication tools to ensure that everyone has access to the same documents. Policies must be maintained in languages that the staff can easily understand and written an appropriate reading level.
Designating a compliance officer with appropriate authority is essential to the success of the compliance program. To be effective, the compliance officer should also maintain a degree of separation from the entity’s delivery of health care items and services and related operations. Thus, the compliance officer should not be responsible, either directly or indirectly, for the delivery of health care services, coding, or claim submission. In addition, involvement in functions such as contracting, medical review, or administrative appeals present potential conflicts. Whenever possible, the compliance officer’s sole responsibility should be compliance. In smaller organizations this can be burdensome, therefore a third party may be necessary for guidance.
Training should include education on the organization’s compliance program. Including Federal and State standards, and governance, and oversight of a health care entity. The compliance officer should develop an annual training plan that includes the training topics to be delivered and the target audience for each topic.
For a compliance program to be effective, the organization should establish appropriate consequences for instances of noncompliance, as well as incentives for compliance. Consequences may involve remediation, sanctions, or both, depending on the facts. Incentives may be used to encourage compliance performance and innovation.
Risk assessment is a process for identifying, analyzing, and responding to risk. Periodic compliance risk assessments should be a component of an organization’s compliance program and should be conducted at least annually. Entities may use commonly available spreadsheet software to analyze their data. Other software programs that entities already use, such as billing software and electronic health records, may also have components that allow entities to analyze the data they contain. Between compliance risk assessments, the compliance officer should continue to scan for unidentified or new risks.
Audits may be conducted by internal or external auditors who have expertise in Federal and State health care statutes, regulations, and Federal health care program requirements. Medicare requires that items must be medically reasonable and necessary. Entities may identify other areas appropriate for routine monitoring, such as high-value billing codes, medical record documentation, medical necessity of admission.
Monthly monitoring of the LEIE and state Medicaid exclusion lists, state licensure and certification databases, and an annual review of the organizations policies and procedures are also required.
Detected Offenses and Developing Corrective Action Plans. If credible evidence of misconduct from any source is discovered and a reasonable inquiry is conducted, and the compliance officer or counsel has reason to believe that the misconduct may violate criminal, civil, or administrative law, then the organization should promptly (not more than 60 days after the determination that credible evidence of a violation exists) notify the appropriate Government authority of the misconduct. Prompt reporting will demonstrate the entity’s good faith and willingness to work with governmental authorities to correct and remedy the problem.
Other Compliance Considerations
There are other important compliance considerations related to several generally applicable risk areas. Forthcoming ICPGs will address industry subsector-specific risk areas for different types of providers, suppliers, and other participants in health care industry subsectors or ancillary industry sectors relating to Federal health care programs. The existing CPGs and supplemental CPGs will remain available for use as ongoing resources to help identify risk areas in particular industry segments as the ICPGs are developed.
Quality and Patient Safety
Quality and patient safety are often treated as wholly separate and distinct from compliance, and the compliance program often does not contain quality and patient safety components. But quality and patient safety are integral to the work of HHS, CMS, FDA, and other agencies. And OIG and DOJ have long emphasized the importance of quality and patient safety. OIG and DOJ have investigated and settled cases based on the submission of false claims for care that is materially substandard, resulting in death or severe harm to patients.
New Businesses in the Health Care Industry
The health care sector is seeing an increasing number of new businesses, including technology companies (both established and start-up companies), new investors, and organizations providing non-traditional services in health care settings. New entrants are often unfamiliar with the unique regulations and business constraints that apply in the health care industry, as well as the range of Federal and State government agencies that regulate health care and enforce fraud and abuse laws. Business practices that are common in other sectors create compliance risk in health care, including potential criminal, civil, and administrative liability.
Financial Incentives: Ownership and Payment – Follow the Money
The growing prominence of private equity and other forms of private investment in health care raises concerns about the impact of ownership incentives on the delivery of high quality, efficient health care. Health care entities, including their investors and governing bodies, should carefully scrutinize their operations and incentive structures to ensure compliance with the Federal fraud and abuse.
Payment Incentives
Compliance officers should be attuned to the varying risks associated with the payment methodologies through which health care entities are reimbursed for the items and services they provide. When an insurer, including Federal health care programs, pays on a volume-sensitive or fee-for-service basis, there may be increased risks of overutilization, inappropriate patient steering, and use of more expensive items or services than needed. When payment incentives and associated risks are fully understood, compliance officers, including those at entities with private investment, are better positioned to design informed audit plans, conduct effective monitoring, detect problems early, and implement effective preventive strategies.
Financial Arrangement Tracking
Organizations involved in Federal health care program business may manage financial arrangements and transactional agreements, including those between referral sources and referral recipients, which can implicate the Federal anti-kickback statute and the PSL, among other Federal fraud and abuse laws. While legal counsel may be involved in the initial structuring and drafting of these agreements, ongoing monitoring of compliance with the terms and conditions set forth in the agreements remains equally important from a fraud and abuse perspective.
OIG Resources and Processes
OIG has a Compliance Section on its website that includes numerous compliance and legal resources. They most recently added a more robust section on Frequently Asked Questions, with a new process for the health care community to submit questions, as discussed further below. In addition, under the Newsroom tab, they have short, educational videos covering a variety of substantive topics, Testimonies before Congress, as well as News Releases & Articles.
They encourage organizations to subscribe to OIG’s What’s New Newsletter to receive email notifications when OIG has posted new information to their website, including reports, enforcement actions, and more. OIG also encourages to subscribe to email notifications when the List of Excluded Individuals/Entities is updated. Lastly, OIG has various social media accounts that users can opt to follow to view OIG posts.
OIG has several self-disclosure processes that can be used to report potential fraud in HHS programs. Health care providers, suppliers, or other individuals subject to CMPs can use the Health Care Fraud Self-Disclosure Protocol to voluntarily disclose self-discovered evidence of potential fraud. Self-disclosure gives providers the opportunity to avoid the costs and disruptions associated with a Government-directed investigation and civil or administrative litigation.
The GCPG is voluntary guidance that discusses general compliance risks and compliance programs. The OIG states that compliance should be implemented. The complete guide may be accessed or downloaded on any computer.
Be sure to check this link regularly as they will be updated and no longer available in the Federal Register.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. Our system includes documents on a variety of compliance topics, not just HIPAA. Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.
“Simplifying HIPAA through Automation, Education, and Support”
As this year comes to a close and it may be time for some practices to review which medical records can be archived. We have been asked many times what is the “difference” between HIPAA documentation vs medical record retention requirements. Many organizations think these have the same requirements, and they do not!
If you are not sure about the differences, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!
HIPAA documentation retention:
HIPAA requires that your privacy and security rule policies, procedures, and documentation be retained for at least 6 years from the date of creation or the last date it was in effect. If a policy was implemented three years before it was revised, the original policy must be retained for a minimum of 9 years after its creation. If state privacy law is more stringent, then state law must be followed.
Here is an example of what is covered under HIPAA:
Audit logs of access to ePHI
Business associate agreements
Contingency plans
Employee sanction policy and documentation
Notice of Privacy Practices
Patient authorizations (unless included in their medical record)
Patient complaints and resolutions
Privacy policies (patient access, amendments, and authorizations)
Security incident reports and Breach notification documentation
Security policies (administrative, physical, and technical)
IT reports that include updates and device status
Medical record retention:
Most people think HIPAA controls the medical record retention requirements. HIPAA is a federal law, and each state has their own set of medical record retention requirements. State retention requirements can vary depending on the type of records and who they belong to.
Florida state law requires medical practices to maintain records for at least 5 years after the last visit. Hospitals are required to retain records for 7 years after the last visit.
Claims may be brought up to 7 years after the incident under the False Claims Act; however, on occasion, the time has been extended to 10 years.
Medicare managed care program providers must also retain their records for 10 years.
Some states required Pediatrics to retain records until the patient reaches the age of 23.
North Carolina has some of the lengthiest requirements, 11 years from the date of discharge and patients that are minors must be retained until 30 years of age.
It is recommended to retain any documentation that may be needed in a personal injury or breach of contract dispute for as long as necessary.
As you can see, there are many variables.
Proper organization of patient records and dates can assist you when the time comes to purge your records. This can also protect you from storing unnecessary records that could be a liability should you suffer a data breach.
If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!
For more information about Aris Medical Solutions call 877.659.2467 or click here to contact us.
“Simplifying HIPAA through Automation, Education, and Support”
Nefarious characters see healthcare organizations as high value yet relatively easy targets. These are referred to as target rich, cyber poor. Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for a bad actor. Understanding the HIPAA risk analysis requirements can help save your organization from these criminals.
There has been a significant rise in the number and severity of cyber-attacks against hospitals and medical practices in the last few years. These attacks expose vulnerabilities and endanger patient safety. The more they happen, the more expensive, and dangerous they become.
Although the HIPAA Security Rule does not specify how often a risk analysis must be conducted, it is recommended to review your systems at least once a year. Keep in mind if you introduce new equipment, software, or suffer a security incident, you may need to evaluate your risks more often.
If you need a HIPAA Security Risk Analysis, check out our:
The OCR conducted a webinar regarding Risk Analysis Requirements and discussed the areas that are deficient.
The OCR mentioned the following:
The lack of a system wide accurate and thorough analysis. (Step 1 Questionnaire)
Performing only the MIPS risk analysis does not encompass the system wide requirements.
PCI/DSS is more than likely not a complete risk assessment since it does not include ePHI.
Instead of a system wide accurate and thorough risk assessment, a summary or heat map is provided without the backup documentation.
Lack of inventory list to track which devices access, transmit, or store ePHI. (Located in the Profile)
No method to track operating systems that become out of date. (Documented in the inventory list)
Lack of mitigation documentation after the risk analysis was completed. (Step 1 Risk Management Plan)
Lack of sanctions against staff who violate HIPAA. (Step 3 Policies and Procedures)
Lack of security software / equipment updates. (Documented in reports from your IT company and stored in the Profile under Uploads)
Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant. Best of all you will have a HIPAA security analyst to guide you every step of the way!
“Simplifying HIPAA through Automation, Education, and Support”
