When it is time to terminate an employee, it is never easy. Whether they are a short- or long-term employee, it can be difficult. Sadly, if you make a mistake you can end up with a complaint filed against you. These types of complaints can range from the wage and labor board, discrimination, or simply wrongful termination. This does not typically involve the Office for Civil Rights. However, if a disgruntled employee contacts the OCR to complain about ANOTHER issue, this could open the door for an OCR investigation. Best practice is to make sure you have proper HR policies in place alongside your HIPAA policies and procedures. Having an Employee Confidentiality Agreement is a good start to ensure your employees understand the requirements under HIPAA (which is included in our HIPAA Keeper™).
Now let’s talk about your employee manual. This is a must have for all organizations, small and large. This manual should have clear and concise guidelines so that employees understand the conditions of their employment and benefits they are entitled to. This should also include the hiring process and the termination of employment.
Here are some key areas that should be included in your employee manual:
Work eligibility – OIG exclusion requirements – Background checks (Random)
Employee classification- fulltime/ part time
Exempt and non-exempt definition
Hours of work including flextime
Lunch and rest breaks
Overtime
Vacation – Sick – General paid time off (bereavement, jury duty, military, etc.)
Payday – Payroll deductions- Wage garnishments
Expense reimbursements
Advances
Employee benefits – Health Insurance – Workers’ Compensation – Etc.
Employee conduct – Attendance – Punctuality – Personal grooming
Use of company property – Internet use – Email – Etc.
Patient and employee privacy
Drug and alcohol use testing
There are other areas that should be included. These are just what comes to mind at first. If you do not have a complete employee handbook, contact us and we may be able to recommend a company that can help you.
As with HIPAA, employee documentation is VERY important!
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
The U.S. Department of Health and Human Services (HHS), through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. Is more HIPAA Enforcement on the way?
The newly established Strategic Planning Division will coordinate the OCR’s authorities to protect civil rights and health information privacy as well as expand data analytics and coordinate data collection across the HHS leadership.
“As a trusted advisor and leader of the newly established division, Luis Perez will direct the standalone Enforcement Division that will provide vital integration between our regional offices and headquarters staff to swiftly investigate and determine appropriate steps for all complaints we receive,” said Director Fontes Rainer. “This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing.”
The OCR will rename the Health Information Privacy Division (HIP) to the Health Information Privacy, Data, and Cybersecurity Division (HIPDC).
The OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022.
By the time you finish reading this blog you could be next!
Would the Office for Civil Rights open an investigation for:
Missing your Notice of Privacy Practices on your website, or missing a patient signature for it, probably not.
For an incorrect patient sign-in sheet, probably not.
Lack of no-surprise billing notice on your website, probably not.
Would the Office for Civil Rights open an investigation for:
Privacy complaint from a patient, YES.
Information blocking complaint from a patient, YES.
Report from a disgruntled employee, YES.
HOWEVER, one patient or disgruntled employee’s complaint opens the door for the OCR. Then, they will review ALL your HIPAA compliance efforts. Including the items listed above that they would not start an investigation with. With this new enforcement division, this has crossed a new threshold.
Is your practice at risk of being one of the three to be investigated tomorrow? The best way to avoid a HIPAA desk audit is through proper HIPAA documentation.
Most investigations can be avoided by supplying the OCR with proper documentation! How well do you trust yours?
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
2023 HIPAA audits and penalties may increase since the Department of Health and Human Services (HHS) has delivered their annual report to congress. They noted there have been significant increases in HIPAA complaints and large breaches. They also noted that there have not been increases in appropriations during the same time frame. The Office for Civil Rights (OCR) requested that the HITECH civil monetary penalty caps be increased in the HHS FY 2023 Discretionary A-19 Legislative Supplement that was sent to Congress. Prepare for more HIPAA audits and higher penalties.
The Annual Report to Congress on Breaches of Unsecured Protected Health Information identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the Secretary of HHS during calendar year 2021 and the actions taken in response to those breaches. It also highlights the continued need for regulated entities to improve compliance with the HIPAA Security Rule requirements, including:
risk analysis and risk management
information system activity review
audit controls
access controls
The OCR Director Melanie Fontes Rainer stated, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.”
Enforcement Process
The OCR is in charge of enforcing the HIPAA Rules. They start my investigating written complaints and conducting reviews to determine if the covered entity or business associates failed to comply with the HIPAA Rules. The OCR will only act upon complaints that meet certain requirements. These include:
The violation must occur after the HIPAA Rules have been required.
The complaint must be filed against an entity that is required to adhere to the HIPAA Rules.
The complaint must describe the activity that violated the HIPAA Rules.
The complaint must be filed within 180 days of the occurrence. The OCR may waive this requirement if the individual shows good cause for being unable to file within the time frame requirement.
The OCR must determine whether the complaint is eligible for enforcement action. If the case is not within the OCR’s jurisdiction, the case will be closed. If the complaint is eligible for enforcement action, the OCR often provides technical assistance to resolve the case without further investigation.
In addition, OCR’s compliance activities include conducting audits and providing education and support with the HIPAA Rules. When necessary, the OCR has authority to issue subpoenas to encourage cooperation with an investigation.
The OCR may also initiate a compliance review investigation when they learn that the breach was caused by the covered entity’s business associate and open a compliance review of the business associate.
Compliance Reviews
The HIPAA Rules provide that the Secretary may open compliance review investigations of covered entities and business associates based on an event or incident brought to OCR’s attention, such as through the media, referrals from other agencies, or based upon patterns identified through multiple complaints alleging the same or similar violations against the same entity. Multiple complaints of the same or similar violations demonstrate systemic compliance deficiencies. These are typically investigated under one transaction for the purpose of achieving compliance.
Investigations
Once an investigation is initiated, the OCR will collect evidence through witness statements, interviews, requests for reports from the entity, and site visits. It is required by law that all entities involved must cooperate. If the event implicates criminal activity, the OCR may refer the complaint to the Department of Justice (DOJ). Keep in mind, if the DOJ declines the case, the OCR may review for potential civil violations and investigate the case.
Sometimes the OCR may determine there isn’t enough evidence to support the entity violated the HIPAA Rules. In these cases, the OCR will send a letter closing the case and explaining the results of the investigation.
In the cases where the OCR determines that the covered entity or business associate was not in compliance the OCR will generally try to resolve the case by obtaining voluntary compliance through corrective action which may include a resolution agreement.
Resolution Agreements
When the OCR discovers non-compliance due to willful neglect or where the scope and scope warrants additional enforcement action, the OCR will pursue a resolution agreement with a payment settlement amount. This also includes a corrective action plan (CAP). The OCR is willing to negotiate the terms of the resolution agreement and the payment amount may be reduced from the amount that they are actually liable for. The amount is based on the entity’s ability to pay, keep in mind, that may be quite different than what the entity thinks. Also, in most cases the resolution agreement includes the requirement to fix the issues and to be monitored for a period of time.
Civil Money Penalties (CMP)
If the entity involved is not able to reach a satisfactory agreement to resolve the issues or if the entity violates the resolution agreement, the OCR may pursue formal enforcement action. If a CMP is proposed the entity may request a hearing in which a Departmental administrative law judge decides if the CMP is warranted based on the evidence presented. Answering this is very important, if the entity does not request a hearing within 90 days of the OCR’s proposed determination, the OCR will issue a final determination and impose a CMP.
Audits
The HITECH Act requires HHS to perform periodic audits of covered entities and business associates to ensure they are compliant with the HIPAA Rules. These are known as random audits since they are not initiated by any incident.
The OCR did not initiate any audits in 2021 and is currently developing the criteria for implementing future audits.
What this means is… make sure your compliance efforts are documented and organized to ensure you will survive an audit without penalties.
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
When a patient or a patient’s representative requests a copy of medical records it is very important to act promptly. Currently you have 30 days to comply with this right of access request, and one 30-day extension (if you advise the patient/representative that you will need more time and you give them a date when they will be available). We expect this time frame to be reduced to 15 days, with one 15-day extension this year. The reason I can’t stress the importance of this enough is due to the fines that have been assessed for non-compliance. As of today, there have been 43 cases resolved under the OCR’s HIPAA Right of Access Initiative. Only a few fines were under $10K, most of the fines were upwards of $25K to $200K.
Another area that we must stress the importance of is disgruntled employees, patient complaints, and data breaches. Should your practice be investigated by the OCR because of ONE incident, they will investigate ALL areas of HIPAA compliance. It is important to stay on top of ALL areas. Don’t forget to review your website too!
One special note: If you use a Contact Us form on your website, you must use encryption on your website (https), to ensure the data transmitted is secure. Then you must review where these messages are delivered to and to which devices. Many website developers do not under the HIPAA rules and offer website features that may cause liability if not properly protected. Again, this also includes the devices utilized to receive the information and how this information is stored. If you do not receive very many of these messages, we recommend removing the liability.
In case you have not seen some examples of the fines, check out our Education Tab:
If you are using our HIPAA Keeper™ 7-step system, you are well ahead of many other practices with HIPAA documentation. If you are not using our system, Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
Happy New Year! As we look back on 2022, we noticed that the Office for Civil Rights (OCR) has really started enforcing the Patients Right of Access. To see a list of fines and resolutions agreements, check out our What are some of the actual HIPAA fines page. There are several proposed changes for HIPAA in 2023.
Here is a recap of what you need to be aware of:
1. Information Blocking – Information blocking is a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI). This rule was created to promote the flow of patient data between providers, patients, and the developers of Health IT. This included electronic health information (EHR) providers. If an actor is found to “block” the flow of information, they can receive up to a $1M fine. It is important to note that The Cures Act established two different “knowledge” standards for actors’ practices within the statute’s definition of “information blocking.” For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.
There are two categories of exceptions and eight exceptions to this rule.
Exceptions that involve not fulfilling requests to access, exchange, or use ePHI.
a. Preventing harm
b. Privacy
c. Security
d. Infeasibility
e. Health IT performance
Exceptions that involve procedures for fulfilling requests to access, exchange, or use ePHI.
f. Licensing
g. Fees
h. Content and manner
Although this is not enforced by the OCR, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) is the agency that has authority to review claims of possible information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, the HHS OIG has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.
Between April 5, 2021 and November 30, 2022, there have been 560 submissions for information blocking and only 43 that did not appear to be a claim of blocking.
Remember, when a patient requests their information to be shared, do not say no, make sure you check with your technology vendors to see if it would be possible.
2. Recognized Security Practices – This is known as the Safe Harbor Act that was passed into law to encourage medical practices and business associates to implement best practices for cybersecurity. Organizations that have completed their HIPAA Security Analysis, reduced their risks, and documented their security practices are looked upon more favorably during an investigation for a data breach. Keep in mind that penalties will not be increased if you have not completed this process. Penalties will remain as the standard permits and the entity’s ability to pay.
3. Charges for medical records – If your office charges for medical records, HIPAA requires your office to post these charges and to notify patients requesting records of the charges.
4. Hospitals must post clear and accessible pricing information online about items and services they provide in two ways. 1. As a comprehensive machine-readable file with all items and services. 2. In a consumer-friendly format that is shoppable.
5. Good Faith Estimates – All facilities must post the HHS Notice, “Right to Receive a Good Faith Estimate of Expected Charges,” on the provider’s or facility’s website, in the office, and onsite where scheduling or questions about the cost of items or service occur. The information must be prominently displayed and published in accessible formats and presumably available in languages spoken by the patient. The provider or facility must provide a good faith estimate of expected charges for items and services to an uninsured, self-pay individual, or an individual who does not wish file a claim with their insurance company.
6. No Surprise Billing aka as balance billing. Health care providers and facilities must provide an easy-to-understand notice explaining the applicable billing protections, who to contact if the patient has concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (patients must receive notice of and consent to being balance billed by an out-of-network provider).
7. HIPAA updates for 2023 – There are many proposed changes, but the final dates and enforcement dates have yet to be determined. A few notable changes that have been proposed are:
a. Adding the right to inspect their PHI in person, permit taking notes, or taking pictures of their PHI
b. Reducing the covered entities time from 30 days to 15 days to a request for access to PHI. The covered entity will have an opportunity for an extension of no more that 15 calendar days (from the current 30 days extension)
c. Reducing the identity verification burden on individuals exercising their access rights
d. Specifying when electronic PHI (ePHI) must be provided to the individual at no charge
e. Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
f. Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual
g. Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
There are many others, and we are watching all of them. The effective date of a final rule will be 60 days after publication. Covered entities and their business associates would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.
The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.
The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus proposes a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.
Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
Scammers are always busy trying different tactics to get to your wallet. During holidays is no different. Bad actors use the holidays and people’s goodwill to fool them into giving. Be careful of offers that are too good to be true, and only shop on reputable sites. Some emails look legitimate, and you must look closely at them to see that they are not. First look at the “from” email address, not just the name from whom it is coming from. The difference may be as subtle as a “.” in between the name or website address. Secondly you can view the message details and from there find where the email IP address originated from. In Outlook, click the three “…” in the upper right corner of the message, scroll down to “view”, then “view message details”. There are many IP lookup sites on the internet. Many of these scams are generated from overseas. As always, do not click on links in emails. Open your browser and search for the site or product from there.
Another method criminal target is through texts messages or voice mails. Again, do not click on links or call the number they send. Look it up! If it appears to be from your bank, call your bank. If it appears it is from your credit card company, call your card company. Our phones now are directly linked to our personal information and can be hacked as well.
The Social Security Administration warns people that fraudsters are calling/texting and asking people to verify information to receive the 2023 cost-of-living increase for people who receive benefits. The increase is automatic and does not need to be verified. Please advise everyone you know that receive these benefits, especially the elderly who fall for these scams. Remind them, scammers typically say there is a problem with their account (social security, missed jury notice, credit card, etc.) and will try to pressure them to act immediately. Then you must pay in a specific manner, and sometimes will want to remain on the line while making the transaction. Even if this means driving to a store to buy gift cards.
If you receive a questionable call, text, or email, hang up or don’t respond and report it at oig.ssa.gov/report. Scammers frequently change their methods with new tactics and messages to trick people. Stay up to date on the latest news and advisories by following SSA’s Office of the Inspector General on LinkedIn, Twitter, and Facebook or subscribing to receive email alerts.
Click to learn how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
The Office for Civil Rights (OCR) has issued a bulletin to remind covered entities and business associates of their obligations under HIPAA when using online tracking technology. These technologies include but are not limited to Google Analytics, Meta Pixel, Cookies, and QR codes.
Cover entities regularly share electronic protected health information (ePHI) with some of these tracking vendors. Some may be doing so in violation of HIPAA. Regulated entities are not permitted to use tracking technologies in a manner that would result in unauthorized disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.
Tracking technologies are used to collect and analyze information about how patients interact with websites and/or mobile applications (“apps”). If a covered entity or business associate utilizes a technology partner to analyze interactions or to disclose tracking information as part of their health care operations, the HIPAA rules will apply when the information that is collected contains protected health information (PHI). If your organization collects sensitive information with an online tracking vendor, such sharing may be considered impermissible disclosures. Another example of a HIPAA violation would be disclosures of PHI to a tracking company for marketing purposes without a patient’s authorization.
Tracking technology is a script or code on a website or mobile app that is used to gather information about users as they interact with the website or mobile app. Then it is analyzed by owners of the website or mobile app. Some third parties may also be used to analyze the data to create insights about users’ online activities. These insights could be used in beneficial ways. Such as to help improve care or the patient experience. However, this tracking information could also be misused and cause identity theft, stalking, and harassment.
Disclosures include a variety of information that is shared through tracking technologies on a website or mobile app. Including individually identifiable health information (IIHI) that the individual provides when they use websites or mobile apps. This information could include a patient’s medical record number, home or email address, or dates of services, as well as an individual’s IP address or geographic location, or medical device IDs. All such IIHI collected on a website or mobile app generally is PHI, even if the individual does not have an existing relationship with the entity and even if the IIHI, such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services. This is because, when an entity collects the individual’s IIHI through its website or mobile app, the information connects the individual to the entity and thus relates to the individual’s past, present, or future health or health care or payment for care.
Covered entities and business associates may have user-authenticated webpages, which require a patient to log in before they are able to access the webpage, such as a patient portal or a telehealth platform. Tracking technologies on an entity’s user-authenticated webpages generally have access to PHI. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal. A regulated entity must configure any user-authenticated webpages that include tracking technologies to allow technologies to only use and disclose PHI in compliance with the HIPAA Privacy Rule and must ensure that the electronic protected health information (ePHI) collected through its website is protected and secured in accordance with the HIPAA Security Rule. Hence, why it is so important to only work with website companies that are familiar with the HIPAA rules.
Tracking technology vendors are business associates if they create, receive, maintain, or transmit PHI on behalf of a covered entity or provide certain services to or for a covered entity (or another business associate) that involve the disclosure of PHI. In these circumstances, regulated entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) with these tracking technology vendors to ensure that PHI is protected in accordance with the HIPAA Rules. If a patient makes an appointment through the website of a covered entity and that website uses third party tracking technologies, then the website might automatically transmit information regarding the appointment and the individual’s IP address to a tracking technology vendor. In this case, the tracking technology vendor is a business associate, and a BAA is required. The BAA must specify the vendor’s permitted and required uses and disclosures of PHI and provide that the vendor will safeguard the PHI and report any security incidents, including breaches of unsecured PHI to the covered entity. The tracking technology vendor must implement administrative, physical, and technical safeguards in accordance with the Security Rule (encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor’s infrastructure) to protect the ePHI.
Cover entities may also have webpages that do not require users to log in before the patient can access the information on a webpage, these are considered unauthenticated webpages. This may include general information about the practice or business like their location, services they provide, or their policies and procedures. Tracking technologies on unauthenticated webpages generally do not have access to PHI. Then a regulated entity’s use of such tracking technologies is not regulated by the HIPAA Rules. If tracking technologies on unauthenticated webpages have access to PHI, then the HIPAA Rules apply.
Examples of unauthenticated webpages where the HIPAA Rules apply include:
The login page of a patient portal (which may be the website’s homepage or a separate, dedicated login page), or a user registration webpage where an individual creates a login for the patient portal, generally are unauthenticated because the individual did not provide credentials to be able to navigate to those webpages.
However, if the individual enters credential information on that login webpage or enters registration information (name, email address) on that registration page, such information is PHI. Therefore, if tracking technologies on a regulated entity’s patient portal login page or registration page collects an individual’s login information or registration information, that information is PHI and is protected by the HIPAA Rules.
Tracking technologies on an unauthenticated webpage that addresses specific symptoms or health conditions, such as pregnancy or miscarriage, or that permits individuals to search for doctors or schedule appointments without entering credentials may have access to PHI in certain circumstances. For example, tracking technologies could collect an individual’s email address and/or IP address when the individual visits a regulated entity’s webpage to search for available appointments with a health care provider. In this example, the covered entity is disclosing PHI to the tracking technology vendor, and therefore, the HIPAA Rules apply.
Mobile apps that help patients manage their health information or pay bills collect a variety of information that is provided by the app user. This includes information typed or uploaded into the app, as well as information provided by the app user’s device, such as fingerprints, network location, geolocation, device ID, or advertising ID. This information is PHI, and the regulated entity must comply with the HIPAA Rules for any PHI that the mobile app uses or discloses. Any subsequent disclosures to the mobile app vendor, tracking technology vendor, or any other third party who receives such information may also be considered PHI. The HIPAA Rules apply to any PHI collected by a covered entity through a mobile app used by patients to track health-related variables. Such as heartrate monitoring or menstrual cycle, body temperature, etc.
Patients that voluntarily download or enter their information into mobile apps that are not developed or offered by regulated entities, regardless of where the information came from do not have to follow the HIPAA Rules. For example, the HIPAA Rules do not apply to health information that a patient enters in a mobile app offered by an entity that is not regulated by HIPAA (even if the individual obtained that information from their medical record created by a regulated entity). In instances where the HIPAA Rules do not apply to such information, other laws may apply. For instance, the Federal Trade Commission (FTC) Act and the FTC’s Health Breach Notification Rule (HBNR) may apply in instances where a mobile health app impermissibly discloses a user’s health information.
Again, covered entities and business associates are required to comply with the HIPAA Rules when using tracking technologies. The HIPAA rules include the HIPAA Privacy, Security, and Breach Notification requirements. Ensuring that all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that the minimum necessary rule is followed.
Websites may advise the use of tracking technology in the website privacy policy or terms of use, but the Privacy Rule does not permit disclosure of PHI to tracking technology vendors based on this notice. Website banners asking patients to accept cookies or other tracking technology does not constitute a HIPAA authorization. If the technology vendor is not a business associate of the covered entity, then a patient authorization is required BEFORE the PHI is disclosed to the vendor. Any disclosure of PHI to the vendor without a patients’ authorization requires the vendor to have a signed BAA in place and requires that there is an applicable Privacy Rule permission for disclosure. If a covered entity does not want to create a business associate relationship with these vendors, or the chosen tracking technology vendor will not provide written satisfactory assurances in the form of a BAA that it will appropriately safeguard PHI, then the entity cannot disclose PHI to the vendors without a patient authorization.
A regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty. Therefore, moving forward it will be necessary to ensure your business partners are HIPAA compliant.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
With so many data breaches in the news many medical practitioners are asking if they can be sued over HIPAA violations or from a data breach.
HIPAA rules state there is no private right of action, therefore, a patient cannot sue for a HIPAA violation. With that said, it is possible if there were privacy violations under state law, legal action may be taken. All states have their own set of privacy laws that encompasses more than just the healthcare sector. State privacy laws vary from state to state and define what is considered private information. HIPAA and state laws require covered entities to secure protected health information (PHI) with administrative, physical, and technical safeguards. Business associates and subcontractors are required to do the same.
If a patient wants to file a lawsuit, the patient must be able to prove negligence and damage caused harm by the violation or data breach. The Omnibus Rule removed the harm threshold when it came to covered entities reporting data breaches, but a patient has the right to claim harm. On another note, if a patient joins a class action lawsuit, it may make a stronger case. However, many class action lawsuits are filed based on the exposure to future harm. Without evidence of harm this may reduce the case. This can be a costly endeavor and patients should consider this and review what they hope to gain before taking legal action. Keep in mind, this is not a quick lawsuit. In the end, there is no guarantee of any monetary gain for the patient.
Many times, the practice can discuss the issues with the patient and avoid legal action altogether. It is recommended that if a practice has a disgruntled patient, the HIPAA privacy officer should talk to the patient if given the opportunity. Sometimes, an upset patient merely wants to be heard. Depending on the circumstances, the practice may be required to report the incident to the Department of Health and Human Services Office for Civil Rights (OCR).
If a patient feels as though their protected health information has been violated, they do have the right to file a complaint with the OCR. The complaint from the patient must be filed within 180 days of the incident. In some cases, an extension may be permitted. The complaint is reviewed to determine if it is justifiable. If it is, then the OCR will contact the practice and try to resolve the issue in the most suitable manner. This may include technical assistance, a resolution agreement, and/or ongoing compliance documentation. The average investigation timeline for a data breach takes 1½ – 2 years. Of course, for more complex breaches, it may take even longer. The outcome of the investigation will depend on the severity and nature of the violation, if this was a repeated offense, and the number of patients affected. Depending on the documentation of the incident and how it was handled, a practice may be able to avoid a desk audit. Remember, if it’s not documented, it does not exist. The patient may also file a complaint with the State Attorney General. Some complaints are referred to the Department of Justice (DOJ) if the investigation results in criminal violations. I hope this helps you to understand how important it is to keep patient data secure, and the documentation that demonstrates your efforts. If you have any questions on data security, how to handle a patient complaint, or how to handle a security incident, we are here to help.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”
The Omnibus rule, also known as the “Final” rule changed HIPAA in many ways. It gave HIPAA teeth and included business associates as being liable under the HIPAA rules. I thought most medical providers had been made aware of the many changes, but it has come to my attention that many are not.
This article we will discuss one of the confusing segments of the Omnibus rule, which is the restriction on disclosures for payments out of pocket by a patient.
Under the Omnibus rule, individuals have the right to obtain restrictions on the disclosure of their protected health information (PHI) in electronic or any other form to a health plan for payment or healthcare operations for specific items and services that the individual has paid out of pocket and in full. Such requests for restrictions must be granted by the practice unless disclosure is “required by law.” More on this later in this article.
Medical practices should consider various methods for segmenting restricted PHI such as “flags,” subfolders within the chart, special notations in the record, or other ways to ensure the restricted PHI is not inadvertently disclosed to the health plan in the event of an audit.
Under the HIPAA Omnibus Rule, providers must ensure that patients are notified of this right in their notice of privacy practices. There are other rights under the Omnibus rule that also must be included, but we are not covering that in this article. Notice of Privacy Practices must be placed in a prominent and accessible location (check in/out window or waiting room) and posted to the practice’s website if they have one.
More about the restriction requirements…
HHS states that the provider should notify downstream providers of the fact that an individual has requested a restriction to a health plan. However, some practices utilize forms that state that this restriction is for this date of service, for this specific appointment, you cannot guarantee others will abide by this restriction and that they should contact the other providers.
Here is one example, a patient that is meeting with their primary physician and requests a restriction on tests that will determine if they have a heart condition. If the primary physician refers the patient to a cardiologist, it is the patient’s responsibility to request a restriction from the cardiologist, if they wish to pay out of pocket. Although the primary physician would not be required to alert the cardiologist of the patient’s potential request to a restriction, it is recommended to do so if possible. Another option would be to advise the patient to ensure that they are aware that it is the patient’s obligation to request restrictions from subsequent providers.
With technology that has progressed, the patient requests for other restrictions should be reviewed to see if it is available within the EHR.
Restrictions and follow-up care…
If a patient has a restriction in place for a health care service but does not pay out of pocket and requests a restriction with regard to the follow-up treatment, and the provider needs to include information that was previously restricted in the bill to the health plan in order to have the service deemed medically necessary or appropriate, then the provider is permitted to disclose such information so long as doing so is consistent with the provider’s minimum necessary policies and procedures. We also clarify that such a disclosure would continue to be permitted for payment purposes and would not require the individual’s written authorization. However, it is encouraged to discuss this with the patient to ensure that they are aware that previously restricted protected health information may be disclosed to the health plan unless they request an additional restriction and pay out of pocket for the follow-up care.
A patient may use their FSA or HSA to pay for the health care items or services that they request to have restricted from another plan. However, the patient may not restrict a disclosure to the FSA or HAS necessary to carry out that payment.
UnderMedicarerules, medical practices are required to produce medical records if audited. This is a condition for participation in Medicare and practices are subject to the mandatory claim submission provisions of the Social Security Act (which requires that if a physician attempts to charge a patient any remuneration for a service that is covered by Medicare, then the physician or supplier must submit a claim to Medicare). The Omnibus Final Rule states that there is an exception to the requirement when the patient (or the patient’s legal representative) refuses of their own free will to authorize the submission of a bill to Medicare. In these such cases, a Medicare provider is not required to submit a claim to Medicare for the covered service and may accept an out-of-pocket payment for the service from the patient. The limits on what the provider may collect from the patient continue to apply to charges for the covered service, notwithstanding the absence of a claim to Medicare.Thenthe provider must restrict the disclosure of protected health information regarding the service to Medicare.
Bundled services…
Medical providers will need to discuss the provider’s ability to unbundle items or services and the impact of doing so since the health plan may still be able to determine the restricted item or service. If the medical provider is able to unbundle the items or services, they should do so. If the provider is not able to unbundle the group of items or services, they should inform the patient and give them the opportunity to pay out of pocket for the entire group and be able to restrict the disclosure.
Restriction Forms…
Although HIPAA does not require a patient to complete a restriction form, it is recommended to utilize a Do-Not-File-Insurance or Self-Pay form. This will inform patients of their rights and responsibilities and remind staff of this restriction. This form also would notify the patient that the medical practice will ensure that the information is not inadvertently disclosed to a health plan for payment or other health care operations purposes, such as audits by the health plan, unless the disclosure is required by law.
Medical practices may also consider including in the form that the restriction is void if payment for the services is not received in full or if the payment is dishonored due to an invalid credit card or check. It is recommended in these cases to reach out to the patient directly to seek payment before disclosing the information. If payment in full is not received, the practice is not required to abide by this disclosure restriction request and may file a claim with the patient’s health plan.
Impermissible disclosure consequences…
A practice who discloses restricted protected health information to the health plan is making a disclosure in violation of the Privacy Rule and the HITECH Act, which, as with other impermissible disclosures is subject to possible criminal penalties, civil monetary penalties, or corrective action.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Healthcare cyber-attacks are on the rise and data breaches can cost a practice a fortune. It is no secret that patient data is valuable on the black market. Cyber criminals will try many different methods to gain access to this data.
The Office for Civil Rights (OCR) stated in their Cybersecurity Newsletter that there has been a 42% increase in cyber-attacks for the first half of 2022 compared to 2021, and a 69% increase in cyber-attacks targeting the health care sector. The number of data breaches occurring in the health care sector also continue to rise. Breaches of unsecured protected health information (PHI), including ePHI, reported to the OCR affecting 500 or more individuals increased from 663 in 2020 to 714 in 2021. Seventy-four percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents. In the health care sector, hacking is now the greatest threat to the privacy and security of PHI. A timely response to a cybersecurity incident is one of the best ways to prevent, mitigate, and recover from cyberattacks.
If you haven’t done so already, we recommend completing the Security Incident Procedures and Breach Notification Plan. You should add those responsible for your Security Response Team. Educate your team on identifying security incidents and how to respond to them. The quicker you can identify a threat, the sooner you can mitigate the issue.
Another area to ensure that you have in place is your inventory list to ensure you can locate which devices may be affected. In your Contingency Plan, there is a list of devices and software applications that you can use to determine which devices/applications that will need to be brought online in which order. Your IT department/vendor will assist with this process.
If it has been determined that a breach of patient data has occurred, this must be reported to the OCR. Remember to follow your state law if it is more stringent.
As with all requirements under HIPAA, you must document your process. If it is not documented, it does not exist. If there are other areas that you have questions, please do not hesitate to contact us!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”