Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.
HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.
It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.
If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:
(1) mitigate fines under section 1176 of the Social
Security Act (as amended by section 13410);
(2) result in the early, favorable termination of an audit
under section 13411; and
(3) mitigate the remedies that would otherwise be agreed
to in any agreement with respect to resolving potential
violations of the HIPAA Security rule (part 160 of title 45 Code
of Federal Regulations and subparts A and C of part 164 of such
title) between the covered entity or business associate and the
Department of Health and Human Services.
Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.
Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.
This healthcare cybersecurity handout was created by the DHHS:
Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.
The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.
In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:
Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”), a licensed provider of residential eating disorder treatment services in Eugene, OR, has taken corrective actions including one year of monitoring and has paid OCR $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.
All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!
Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.
The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.
We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.
Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.
Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.
Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.
Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.
The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.
Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.
Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.
Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.
Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.
Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.
Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.
Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.
Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.
After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Do you have all your HIPAA policies and procedures?
Have your employees completed HIPAA training?
Do you have all your Business Associate agreements in place?
If you are unsure about any of these questions, you may be exposed to potential fines by the Office of Civil Rights (OCR) should you become part of a HIPAA complaint or investigation by a disgruntled employee or patient.
Our online HIPAA Keeper™ is designed to educate and protect covered entities such as medical practices, dental practices, and chiropractors. We also have a system just for business associates. How does it work? Just sign-up, enter your employee and business associate information, answer a comprehensive questionnaire, then implement, generate, and download all your documents required under HIPAA law in one easy ZIP file each year. You are required by law to keep your documents for 6 years. Our document package includes employee confidentiality agreements and business associate agreements signed via DocuSign, or you may upload your own. The package also includes a risk management plan, certificates of completion for employee training, as well as all policies and procedures required for HIPAA compliance. There is no better or easier way to document and maintain your HIPAA Compliance history.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
We try to share useful information as we come across it. Below are some links that we think may be of interest to our audience such as: ICD-10 updates, Fraud, Waste, and Abuse Training, Booklets, and Prevention. We have also included some videos from YouTube. Be sure to follow the guidelines set forth and do not let hindsight get you in trouble.
The OCR released their Summer 2021 Cybersecurity Newsletter and it stated that a recent report of security incidents and data breaches were committed 61% by external actors and 39% by insiders. During COVID last year, systems that monitor audit logs found that internal snooping was up by 90%.
The Information Access Management 45 CFR § 164.308(a)(4)(i) and Access Control 45 CFR § 164.312(a)(1) are two of the HIPAA Security Rule standards that cover access to ePHI.
We will discuss Information Access Management under the Administrative Safeguards first. This standard requires covered entities and business associates to implement policies and procedures that outline how covered entities and business associates authorize or grant access to ePHI within their organization. This may include how access to information systems containing ePHI is requested, authorized, and granted, who is responsible for authorizing access requests, and the requirements for granting access. These policies typically cover workforce roles that may be granted access to particular systems, applications, and/or data. It is important to point out that access must be based on job function or business necessity. Since this is an Addressable standard, if a particular implementation specification is not reasonable and appropriate, entities must document why, and implement equivalent alternative measures if reasonable and appropriate.
Access Establishment and Modification 45 CFR § 164.308(a)(4)(ii)(C) policies describe how to establish, document, review, and modify a user’s access to workstations, transactions, programs, or processes. For example, a workforce member being promoted or given some change in responsibility may require increased access to certain systems and decreased access to others. Another example is that a covered organization could change its system access requirements to permit remote access to systems containing ePHI during a pandemic. Policies and procedures should cover situations such as these to ensure that each workforce member’s access continues to be appropriate for their role.
Access Control under the Technical safeguards is a required standard for covered entities and business associates to implement access controls for electronic information systems to allow access to ePHI only to those approved in accordance with the organization’s Information Access Management process. The flexible, scalable, and technology-neutral nature of the Security Rule permits organizations to consider various access control mechanisms to prevent unauthorized access to ePHI. Such access controls could include role-based access, user-based access, attribute-based access, or any other access control mechanisms the organization deems appropriate. This means, what may be acceptable for one organization may not be suitable for another. Access controls need not be limited to computer systems. Firewalls, network segmentation, and network access control (NAC) solutions can also be effective means of limiting access to electronic information systems containing ePHI. Properly implemented, network-based solutions can limit the ability of a hacker to gain access to an organization’s network or impede the ability of a hacker already in the network from accessing other information systems – especially systems containing sensitive data.
The Access Control standard includes Unique User Identification 45 CFR § 164.312(a)(2)(i) which is a required implementation specification and is a key security requirement for any system. While the use of shared or generic usernames and passwords may seem to provide some short-term convenience, it severely degrades the integrity of a system because it removes accountability from individual users and makes it much easier for the system to become compromised. If information is improperly entered, altered, or deleted, whether intentionally or not, it can be very difficult to identify the person responsible (e.g., for training or sanctions) or determine which users may have been the victim of a phishing attack that introduced ransomware into the organization. Additionally, because shared usernames and passwords can become widely known, it may be difficult to know whether the person responsible was an authorized user. A former employee or contractor, a current employee not authorized for access, a friend or family member of an employee, or an outside hacker could be a source of unauthorized access. The inability to identify and track a user’s identity due to the use of shared user IDs can also impede necessary investigations when the shared user ID is used for unauthorized or even criminal activity. For example, a malicious insider could take advantage of known shared user IDs to hide their activities when collecting personal medical and financial information to use for identity theft. In such as case, an organization’s implemented audit controls would document the actions of the shared user ID, thus potentially limiting the organization’s ability to properly identify and track the malicious insider.
The second implementation specification, Emergency Access Procedure 45 CFR § 164.312(a)(2)(ii) is also a required implementation specification. This implementation specification is applicable in situations in which normal procedures for obtaining ePHI may not be available or may be severely limited, such as during power failures or the loss of Internet connectivity. Access controls are still necessary during an emergency, but may be very different from normal operations. For example, due to the recent COVID-19 public health emergency, many organizations quickly implemented mass telehealth policies. How workforce members can securely access ePHI during periods of increased teleworking should be part of an organization’s Emergency Access Procedures. Appropriate procedures should be established beforehand for how to access needed ePHI during an emergency.
The third implementation specification, Automatic Logoff 45 CFR § 164.312(a)(2)(iii), is an addressable implementation specification. Users sometimes inadvertently leave workstations unattended for various reasons. In an emergency setting, a user may not have time to manually log out of a system. Implementing a mechanism to automatically terminate an electronic session after a period of inactivity reduces the risk of unauthorized access when a user forgets or is unable to terminate their session. Failure to implement automatic logoff not only increases the risk of unauthorized access and potential alteration or destruction of ePHI, it also impedes an organization’s ability to properly investigate such unauthorized access because it would appear to originate from an authorized user.
The final implementation specification is Encryption and Decryption 45 CFR § 164.312(a)(2)(iv), which is also an addressable implementation specification. This technical safeguard can reduce the risks and costs of unauthorized access to ePHI. For example, if a hacker gains access to unsecured ePHI on a network server or if a device containing unsecured ePHI is stolen, a breach of PHI will be presumed and reportable under the Breach Notification Rule (unless the presumption can be rebutted in accordance with the breach risk assessment. The Breach Notification Rule applies to unsecured PHI which is PHI “that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under [the HITECH Act].” OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, which provides guidance for securing PHI, states that ePHI that is “at-rest” (i.e., stored in an information system or electronic media) is considered secured if it is encrypted in a manner consistent with NIST Special Publication 800-111 (Guide to Storage Encryption Technologies for End User Devices) (SP 800-111).
EPHI encrypted in a manner consistent with SP 800-111 is not considered unsecured PHI and therefore is not subject to the Breach Notification Rule. Encrypting ePHI in this manner is an excellent example of how implementing an effective encryption solution may not only fulfill an organization’s encryption obligation under the Access Control standard, but also provides a means to leverage the Breach Notification Rule’s safe-harbor provision.
As the use of mobile computing devices (e.g., laptops, smartphones, tablets) becomes more and more pervasive, the risks to sensitive data stored on such devices also increases. Many mobile devices include encryption capabilities to protect sensitive data. Once enabled, a device’s encryption solution can protect stored sensitive data, including ePHI, from unauthorized access in the event the device is lost or stolen.
If you need assistance with HIPAA Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
As all of you know, HIPAA is a moving target. Just when you think you understand what is going on, it changes.
By now, most of you have heard about the 21st Century Cures Act / Information Blocking Rule. This final rule will apply to most everyone in healthcare, with variable responsibilities. Healthcare developers, health information exchanges, and health information networks could face civil monetary penalties of up to $1,000,000.00 per violation. Complaints and investigations will be conducted by ONC (Office of the National Coordinator). Healthcare providers could face “appropriate disincentives” that will be established by HHS/CMS but have not been defined yet.
Information blocking can be best described as when EHI (electronic health information) has been requested and denied. I am not going to go into detail on the developers or information exchange side in this notification, but here are a few examples for healthcare providers:
Healthcare organization or hospital refusing to exchange information
Requiring a patient to sign a consent to exchange their information for treatment
Charging a patient for electronic access to their information
Delayed access to information when the information was available days before
When we speak of access or exchange of EHI, that does not mean share everything you have. This is based on the “request”. You will only be obligated to share what is requested. Remember the “minimum necessary” rule, these are similar guidelines.
This is a very complex rule, and more information can be found at:
The proposed changes to the HIPAA Privacy Rule include strengthening patients’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Summary of Major Provisions
HHS proposes to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:
Adding definitions for the terms electronic health record (EHR) and personal health application.
Modifying provisions on the individuals’ rightof access to PHI by:
○ Strengthening patients’ rights to inspect their protected health information (PHI) in person. Permitting individuals to take notes or use other personal resources to view and capture images of their PHI.
○ shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension)
○ clarifying the form and format required for responding to individuals’ requests for their PHI
○ requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
○ reducing the identity verification burden on individuals exercising their access rights
○ creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR
○ requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
○ limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR
○ specifying when electronic PHI (ePHI) must be provided to the individual at no charge
○ amending the permissible fee structure for responding to requests to direct records to a third party; and
○ requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, (7) and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
To read more about this proposed rule and to read public comments submitted in response to the Notice of Proposed Rulemaking on Modifications to the HIPAA Privacy Rule:
Most practices seek assistance from one or more businesses to help them with certain functions within their organization. Depending on the type of service they provide, they may be considered a “Business Associate” under the HIPAA guidelines.
So, what defines a business associate § 164.308(b)(1)?
Any person or entity that may encounter ePHI/PHI while providing services to the covered entity. For example, a shredding company, billing company, or an IT company. Even if the IT company is not responsible for the data transmission or storage of ePHI, they are still considered a business associate under the definition by the Office for Civil Rights (OCR). This is because they may have access to computers or software to assist the provider when issues arise, or when updates are needed.
Software providers such as EHR/ EMRs, and practice management are also BAs. Custom software providers may also be included if they maintain the system and are required to provide updates. The exception to this would be if a custom software were developed and turned over to the practice for their use and then maintained by the IT vendor. The IT vendor would be the BA.
Clearinghouses are covered entities, and business associates of a covered entity since they facilitate the processing of health information from a nonstandard format into standard format, or from standard format into nonstandard format.
Some practices with multiple partners may use revenue from patients to determine each provider’s share. If they use a third party like a CPA, then the CPA may be considered a BA.
If an attorney is needed to defend the provider/practice against a patient and PHI is disclosed, the attorney is then a BA.
An easy way to remember this is… if PHI/ePHI is disclosed or the possibility of being disclosed during the job function of the vendor, then they are a BA.
A cleaning company is NOT considered a business associate even though they may encounter PHI because their job function does not include the creation, transmitting, or maintaining of ePHI. It is advisable to require the company to sign a confidentiality agreement and require their employees receive HIPAA training, so they understand the HIPAA rules.
When hiring a business associate it is required under HIPAA to ensure your vendor is HIPAA compliant. The first step is to obtain a Business Associate Agreement (BAA), but you must also have reasonable assurances they are in fact HIPAA compliant. You may request their most recent HIPAA training for the employees that will be responsible for working withing your practice, policies on data security, and depending on the services they provide, a copy of their latest risk analysis (first and last page that demonstrates who conducted the analysis and when). You also have the right to ask if they use business associates (subcontractors). The practice must ensure that anyone and everyone that comes in contact with ePHI/PHI understands how to protect this data.
Large medical practices are targeted by hackers since this information is so valuable. Smaller practices are hacked through phishing attacks, unsuspecting employees, business associates, and outdated software/hardware. It is everyone’s responsibility within the practice to ensure all data is secure and to avoid data breaches. I am sure you are thinking that if the government cannot keep data secure, how can you? Large organizations are always a target, and they have the same issues as smaller ones just more area of vulnerabilities for the bad actors to get in.
Stay safe out on the World Wide Web (WWW), we call it, the Wild Wild West. The biggest difference is, during the Wild Wild West days, you could see trouble coming into town and prepare. On the World Wide Web, trouble is invisible until it is too late.
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.
45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.
Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.
We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.
The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.
The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.
The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.
We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.
Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.
Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!
If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”. HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?
This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.
Let us review how this happens.
Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.
During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.
Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.
From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.
Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.
If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
