HIPAA in 2020 – How the protection of our privacy maybe changing

By Suze Shaffer

HIPAA Compliance TrainingJanuary 15, 2020

Hindsight is always 2020, as we begin this new year, let’s try to make that a current sight!

By now, those of you who have been using Windows 7 computers and 2008 Servers have been getting notifications that the end of life was coming. Time is here. January 14, 2020, Microsoft no longer will be supporting these operating systems. What this means is they will no longer send out security updates. Each time a security update is issued, it is because someone has found a vulnerability that could be exploited. This is why hackers lay in wait for unsuspecting people to ignore this. Of course, it is doubtful that you will get hit on January 15, but the chance is there and will increase with each passing day. If you are hacked and this causes a data breach, you WILL be fined for using outdated software. At the conference in October, the OCR specifically discussed this.

All 50 states have their own set of privacy laws to protect their residents. In Healthcare we have to adhere to HIPAA, the Federal law, but also must follow state law when it is more stringent. Sometimes, this means flipping back and forth and it becomes very confusing. The good news is that lawmakers are trying to come up with a Federal privacy law to help stop the confusion. Although they haven’t come up with a firm plan yet, they are working on it. This is partly due to the GDPR (General Data Protection Regulation) being enforceable in the United States. Some people view this a cost guzzling law, but we are all consumers and we should have the right to know who is collecting our data, how they are storing our information, and if they are selling our information. Hopefully, our Federal lawmakers will come up with a law that will allow consumers to opt out if we don’t want our information sold. In healthcare, our information may be sold by EHRs and other healthcare companies, when it is de-identified. Medical practitioners are required to obtain a patient’s authorization before they share patient information. Other businesses should be required to do the same and be fined for selling our personal information if we do not permit the disclosure.

To learn more on what is being discussed in legislation , click here:

https://cdt.org/collections/federal-privacy-legislation/

If you would like to learn more about the legislative proposal, click here:

https://cdt.org/insights/statement-of-michelle-richardson-examining-legislative-proposals-to-protect-consumer-data-privacy/

In June 2018 California passed a consumer privacy law, AB 375, that may be more stringent than the GDPR. The California Consumer Privacy Act (CCPA) went into law January 1, 2020. Although the law isn’t as stringent as the GDPR on timeline notifications, it does have some very tight restrictions that go even further. Any company that have at least $25 million in annual revenue and serves California residents must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data fall under this law. Companies don’t have to be based in California to fall under the law. They don’t even have to be based in the United States.

We believe more states will follow California unless we can agree on a Federal law to help all consumers. Most of us are patients at a medical facility somewhere, and we are ALL consumers everywhere! By enacting a Federal privacy law, this is a good thing, not a bad!

Happy New Year and praying for good things to come!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

2019 HIPAA Updates

 

HIPAA Update post it with thumb tack

As we start this new year we must reflect what we have learned from 2018 in order to make 2019 a success.

The Office for Civil Rights (OCR) has gained momentum in enforcing HIPAA violations. With that said HIPAA is an ongoing process and once is not enough. It is not considered done unless it is documented. At the annual conference this past year, the OCR admitted they are adamant on ensuring your patient’s information is protected. Therefore, you must document your compliance. If you say you did something, they will ask for your documentation. If you do not have documentation, you will be fined.

Companies located in United States are now required to adhere to the General Data Protection Regulation (GDPR) if they market goods and services to citizens of the European Union (EU). You must ensure the security of the data as well as inform visitors to your website how you intend to use their data. This must be clearly written in your privacy notice on website. This is not to be confused with your Notice of Privacy Practices that you give to your patients. If you plan on marketing to visitors from your website, you must offer them a free opt-out option. We could go on in more detail on this subject, but since many medical clinics do not market to international patients, you may contact us for more information.

Here are a few things to review and update as necessary:

  1. Risk analysis and risk management plan, this is your documentation to demonstrate what risks you have (had) and how you have mitigated them or plan to mitigate them.
  2. Replacing or updating any outdated technology, hardware and software require updates from time to time. You can be fined for utilizing outdated hardware/software that is no longer supported by the manufacturer.
  3. Adding a second authentication process for access to ePHI as well as for online personal accounts.
  4. HIPAA training, ensuring your employees understand how to protect your data is also part of this training.
  5. Making sure you have all of the necessary privacy and security policies, procedures, and forms in place. This means reading and dating them to demonstrate they were actually implemented.
  6. Retaining your documentation for the required time limit, including correspondence with patients that are considered to be part of their medical record.
  7. Reviewing your website, determining if your site collects any data and how it is transmitted and stored.

If you see something in your workplace that looks suspicious, tell your HIPAA Compliance Officer, you could be the one to prevent a data breach or stop a data breach from becoming a major breach (over 500 patient records). Keeping data secure is everyone’s business. Being mindful of our surroundings and educating others helps all of us in this crazy world we live in now!

 

State law data breach notification updates

 

By Aris Medical Solutions

HIPAA USA map

All 50 states now have a separate privacy law. South Dakota and Alabama are the final two states to enact data breach notification laws. Other states like North Carolina are proposing to update their requirements that only allow 15 days to notify in the event of a data breach.

Although medical practices must adhere to the Federal HIPAA law guidelines, if your state law is more stringent state law will supersede federal notification requirements. You may also be required to notify your state officials or the credit reporting agencies. Know your state law!

Lastly, know where your patients or customers are located. Even if you are in a different state but you have their data, you must follow THEIR state privacy law. If you have any international patients or customers, be sure to understand how the GDPR will affect your organization. Then you must update your privacy policy within your office.

The link below lists the state and the statutes. Only a couple of the states have live links. If you want more information you will need to copy and paste in to Google.
http://www.ncsl.org/research/telecommunications-and-information-technology/2018-security-breach-legislation.aspx

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

 

General Data Protection Regulation: What does this mean to the US

 

By Aris Medical Solutions

HIPAA GDPR

You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.

Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.

With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.

Here is a basic summary of what you need to know:

  1. Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
  2. Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
  3. You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
  4. Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
  5. These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
  6. Data breaches must be reported within 72 hours.

What do you need to do to prepare:

  1. Review your client/patient database.
  2. Do you have any european clients/patients?
  3. Review where all of your data is stored.
  4. Do you use a cloud system?
  5. Do you have a BA agreement in place with the data processor/center?
  6. Update your breach notification plan.

For more information on the GDPR: https://www.eugdpr.org/

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

 

©2021 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC