Do you know what it means to be HIPAA compliant?

HIPAA Rules & Guidelines

Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.

https://www.ftc.gov/news-events/press-releases/2021/02/ftc-gives-final-approval-settlement-emergency-travel-services

https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_order.pdf

HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.

It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.

If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:

(1) mitigate fines under section 1176 of the Social

        Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit

        under section 13411; and

(3) mitigate the remedies that would otherwise be agreed

        to in any agreement with respect to resolving potential

        violations of the HIPAA Security rule (part 160 of title 45 Code

        of Federal Regulations and subparts A and C of part 164 of such

        title) between the covered entity or business associate and the

        Department of Health and Human Services.

Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.

Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.

This healthcare cybersecurity handout was created by the DHHS:

https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

If you need assistance in navigating the maze of HIPAA, complete the contact us form at https://arismedicalsolutions.com/contact/ or call 877.659.2467 and schedule a demo of Aris’ automated HIPAA compliance platform. Documentation has never been easier, and with our customer service, you will know what is required and how to handle situations that arise.

 

“Simplifying HIPAA through Automation, Education, and Support”

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

Share This HIPAA Blog

More fines for Providers for not providing timely right of access

December 15, 2021

Information Blocking Rule – Best practices to prepare now

January 15, 2022
©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC