We have advised our clients for years to only transmit protected health information (PHI) if it is encrypted. We have also recommended encryption for the data at rest. With the rise of hacking, this is never more important. There are many problems that can arise from compromised email accounts.
It only takes one employee’s email account to get hacked, then the hacker can view what the user has stored, who they communicate with, and who they do not speak with directly. Let’s review each one:
Contents of email. Of course, you do not want an unknown person reading your emails, but it is even worse if your email account contains PHI. The hacker can take that information, sell it, or even target your patients to gain more information.
The hacker can also see who you are communicating with and now they can target your co-workers into giving them information by impersonating you.
They also know who you only communicate with via email. This sets the stage for phone conversations since you do not know what this person sounds like. The hacker can request wire transfers, employee lists, patient lists, the amount of information that they are willing to request is only limited by their imagination.
These attacks may be targeted for financial gain, identity theft, or medical insurance theft. Regardless of the hackers’ motives, they all can be devastating to a practice. Just last year an Orlando practice had 4 email accounts compromised and over 447K patients were affected. When considering the methods to secure email accounts, you must also consider which devices are used to access email. This furthers the security requirements. A thorough risk analysis will uncover potential vulnerabilities and give you the opportunity to avoid a data breach.
That brings me to the next topic… if you don’t need to store it, DO NOT. If you can move the needed documentation to a secure server or your EHR, then do. If there isn’t a “need” to store patient information (or any sensitive information) in email, then remove it. This also applies to “old” patient records in databases or software. There is a reason behind medical record retention requirements, and when it is safe to dispose of medical records, then do! This too reduces your liability!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
It is a known fact that hackers target the healthcare sector because the data is so valuable. The cost of healthcare data breaches increased from a total average of $7.13M in 2020 to $9.23M in 2021. The average breach cost rose $1.07M for those who had remote access. Organizations in the U.S. has lost $2.4B to business email scams. They have estimated that cybercrime topped $6T worldwide.
So, how do hackers get in and what can you do to protect yourself?
Remember, there isn’t ONE magic setting to protect you from all threats, it takes layers of security!
Organizations must have solid network security in place. Firewalls are a necessity in today’s world. You can set specific parameters to ensure employees can go where they need to, and block where they do not. You can also set security policies that block other countries.
Utilizing real-time anti-virus and anti-malware software also helps. This won’t help if an employee clicks on a link or picks up malware on the internet unless the system alerts the user BEFORE they click! For example, if an employee is surfing the web (and no they should not surf on a work computer), and they visit a website that has been infected, your anti-virus / anti-malware software should alert you with a warning.
Although there are brut attacks, but most hackers come in via through a phishing attempt. Often, an employee makes a simple mistake like clicking on a link or an attachment in an email. Even though I talk about this ALL the time and say NEVER do this…people still do. Email scammers use several ways to trick employees to gain access to information. Including getting employees to send wire transfers, send a list of employee’s social security numbers, or to make purchases they are not aware of. Alan Suderman at Fortune cited a case where thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000. You think this can’t happen to you, but I know of a practice that someone hacked an email account and changed the bank information for payments from an insurance carrier, they lost about $100K.
I know of a company that the CEO email was hacked and being monitored, once the scammers knew who they talked to on the phone and who they did not, then the call came in to make a $65K wire transfer. POOF! Just like that $65K was gone. YES, THIS HAPPENS! Keep in mind, if the caller or the email is asking for private information or money, verify BEFORE releasing it.
• Unless you are expecting an email from someone, DO NOT CLICK! • If you get an email from someone you know and were not expecting it, pick up the phone and call them! • If there is a link, open a web browser and open your account from there. • If it is URGENT and requires you to act immediately, it is more than likely a hacker/spammer. • If it says your credit card has been charged for something and you didn’t charge it, call your card company or your bank, do not call the number in the email or call the number in the voice mail. • If they have all your information except the code on the back and ask you to verify the card by giving them the number, DO NOT. • Government, state, and local authorities will not call you and demand payment immediately. Ignore these completely. • Again, if money or personal information is involved, VERIFY!
Scammers share their success stories with other scammers, while ransomware hackers will hit you again if you pay. There is no honor among thieves.
All sizes of organizations need to be on high alert, from large hospitals to small single provider practices. I have used this analogy before, the World Wide Web it the modern version of the Wild Wild West. The biggest difference is you can’t see the bad guys coming into town to prepare. You must prepare for the unknown and the unseen. There are companies that offer Phishing training. Then, they try to get your employees to take the bait. This has been a success at most companies. Educating your staff is JOB ONE! They can be your best ally, or your weakest link. You can build a fortress around your data, and one click can bring it down.
Continuous security awareness training is vital in your fight against these bad actors. Organizations must teach employees to be watchful for phishing attacks and stopping them by simply not engaging in emails and on the web.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
The Office for Civil Rights sent out a cyber newsletter stating that throughout 2020-2021 hackers have targeted the health care industry and the number of breaches increased 45% from 2019 to 2020. The number of breaches due to hacking or IT incidents account for 66% of all breaches affecting over 500 patients records in 2020. Cyber-attacks are critical in health care since it can disrupt services to patients and destroy patient data.
Most cyber-attacks could have been prevented if covered entities and business associates had implemented the HIPAA Security Rule requirements. Technical safeguards are based on the organizations size, type of environment, and how data flows in and out of their systems. Keep in mind, phishing attacks and weak authentication protocols are the most common exploitations.
What can you do to prevent cyber-attacks?
While nothing is 100%, simple precautious can go a long way. Educating your staff should be a top priority. Tricking employees to click on links or to share vital information is the most common tactic. An unsuspecting employee is typically how an attack starts. There are more sophisticated methods that can exploit previously unknown vulnerabilities, but phishing is still the most common. Train your employees not to click on attachments unless they are expecting the communication and the sender has been verified. Also, do not click on links within emails. Best practices are to open your browser window and go to the website and log-in from there. If the employee suspects an email contains a virus or is suspicious, they should contact their IT department/vendor and verify. It is always better to be safe than sorry later!
Ongoing HIPAA training is essential to keep up with new threats. Annual training keeps HIPAA on the minds of your employees, but when you add monthly security reminders it helps so much more! The HIPAA security officer should share emails or website information from reliable sources to keep their employees informed. When you receive Aris’ monthly Security Newsletter, share this valuable information with the staff, including clinicians, and management since they are often a target from hackers. If possible, utilize a company that offers Phishing training and exercises. Contact us for some suggestions.
Unfortunately, security training cannot be effective if it is viewed by as a burdensome, and employees just want to “check-the-box”. Keep staff members engaged by explaining cyber security is everyone’s job in protecting ePHI.
In addition to education, organizations can mitigate the risk of phishing attacks by implementing anti-phishing technologies. You should talk to your IT vendor about what type of services they have that can help you. For example, if an email is suspected of being a threat, it can be blocked, and appropriate personnel notified. Another approach can involve scanning web links or attachments included in emails for potential threats and removing them if a threat is detected. Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate. Many available technology solutions use a combination of these approaches. Implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule. Organizations may determine that because its privileged accounts (administrator) have access that supersedes other access controls (role or user-based access) and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts. If exploited through an administrative access point, not only could privileged accounts supersede access restrictions, but they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable. To reduce the risk of unauthorized access to privileged accounts, the organization could decide that a privileged access management (PAM) system is reasonable and appropriate to implement.
Covered entities and business associates are required under HIPAA to ensure the integrity, confidentiality, and availability of ePHI. This means protecting patient data from improper alteration, destruction, and making sure it is available when needed. Hackers that penetrate an organization’s network can wreak havoc by encrypting patient data, modifying data, or stealing the data. Based on the type of network your organization utilizes, you may need domain controller and/or business grade firewall. Some firewalls that are designed for “small” businesses, are not robust enough for healthcare. As devices age, they must be replaced since technology is always changing, and vulnerabilities are exploited. Before purchasing new equipment, it is suggested to consult with an IT vendor that specializes in healthcare. It is important to ensure the device can be used in a healthcare setting, set up correctly, and custom security policies implemented.
As we just mentioned about devices being upgraded, so must software applications. Again, when an organization utilizes outdated software, these can be exploited as well. I have heard over the years many different reasons why “programs” cannot be upgraded, it won’t work with the new version of windows, they don’t offer upgrades, or simply they do not want to spend the money. None of these reasons are acceptable excuses from the Office for Civil Rights unless you have security measures in place to protect the legacy systems and they are safe from the “outside” world. If you utilize outdated equipment or software and you are hacked, you CAN and WILL be fined if you have not demonstrated best practices in protecting your data. You literally are running the risk of losing your business. The fines are THAT much!
We recommend yearly network security audits that are performed by a network security company. This is different that your regular IT company that maintains your systems unless they truly specialize in network security. This type of company should perform several types of vulnerability scans. Not all scans are created equal and different types may be necessary to uncover holes in your security. For example, scans that look for weak passwords, duplicate passwords, weak access controls, and vulnerable ports. 80% of the attacks can be linked to weak authentication credentials. By adding a second authentication process, a bio-scanner, or RFID card to access ePHI greatly enhances security. This is especially helpful for those using remote access. When it comes to your daily IT vendor, they must also under HIPAA and follow the security protocols set forth by NIST. Several medical practices have been breached due to incorrect settings within the network. Some of these breaches cost $3M in fines!
Summary:
Although malicious attacks targeting the health care sector continue to increase, many of these attacks can be prevented or mitigated by fully implementing the Security Rule’s requirements. Many organizations continue to underappreciate the risks and vulnerabilities of their actions or inaction (increased risk of remote access, unpatched or unsupported systems, not fully engaging the workforce in cyber defense).
Unfortunately, there isn’t a single magic action to ensure the safety of your data, it is a combination of the above and ongoing upgrades.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
This week the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of four investigations related to the HIPAA privacy rule.
Two cases were part of the HIPAA Right of Access, bringing the total number of enforcement actions to twenty-seven since the initiative began. Another case included misuse of social media in response to a negative review.
A solo dental practitioner in Butler, Pennsylvania, failed to provide a patient with a copy of their medical record. After being issued a Notice of Proposed Determination, the doctor requested a hearing before an Administrative Law Judge. The litigation was resolved before the court made a determination by a settlement agreement in which the doctor agreed to pay $30,000 and take corrective actions to comply with the HIPAA Privacy Rule’s right of access standard.
A dental practice with offices in Charlotte and Monroe, North Carolina, impermissibly disclosed a patient’s PHI on a webpage in response to a negative online review. The practice did not respond to OCR’s data request, did not respond or object to an administrative subpoena, and waived its rights to a hearing by not contesting the findings in OCR’s Notice of Proposed Determination. OCR imposed a $50,000 civil money penalty.
A dental practice in Fairhope, Alabama, who impermissibly disclosed its patients’ PHI to a campaign manager and a third-party marketing company hired to help with a state senate election campaign, agreed to take corrective action and pay $62,500 to settle potential violations of the HIPAA Privacy Rule.
A psychiatric medical services provider with two office locations in California, agreed to take corrective actions and pay OCR $28,000 to settle potential violations of the HIPAA Privacy Rule, including provisions of the right of access standard.
If you would like to read about other fines, follow this link:
When the providers and upper management understand the ramifications of violations, then the rest of the staff typically will follow the examples that are set in place. Because HIPAA Compliance starts at the top!
Violations happen when someone makes a mistake or is simply not thinking. HIPAA needs to be on the forefront of everyone who encounters patient information. Treat this information as if it were your own! HIPAA does not have to be difficult; it only takes a few precautionary measures to stay compliant.
Here are some helpful reminders:
Always speak in hushed tones. The person you are talking to may not be the one that will complain. Others may think if they can hear what you are saying to another patient, someone else will hear what you are saying to them.
When a patient makes a request, always ask this to be in writing. Remember there is a time limit on most requests, and you must answer within the time allotted. If a patient asks for a copy of their medical records, you have 30 days to answer the request, you may extend 30 days, but it must be explained to the patient why, and a date when they will be available must be determined.
With the new information blocking rules, patients now have the right to ask for their information in the format of their choice. This means if they want to download to an app or share with a third party, you are required to do so. If you do not have the technology in place to honor their request, advise the patient you are checking into this, and never tell them “no” you can’t honor their request. That may be considered information blocking.
Before emailing or faxing patient information, verify the number/address, and before you click send, verify AGAIN! If you are attaching documents, be sure the document you are sending is the correct information for that patient. If you are emailing protected health information (PHI), encryption should be utilized. The only time this is not required is if the patient has been informed that this is not a secure method of transmission, and they authorize you to send it anyway. Be sure to keep that email as your authorization.
Train your staff to verify that business associate agreements are in place before releasing any paper, digital, or electronic PHI. This can save you hundreds of thousands of dollars in fines should they mishandle PHI.
Educate your staff that looking into medical records that they do not have a need to do so, is grounds for termination. This includes family members, friends, neighbors, and celebrities. The monitoring of audit logs is a required standard under the security rule. If you are not reviewing your logs, then it is highly recommended to utilize an audit log monitoring company.
Remind staff that work computers are for business purposes only. It is so easy to introduce malware and viruses from the internet. Also, remind them NEVER click on links in emails unless you are expecting the email.
These are just a few items to keep in mind. Be sure to train your staff on privacy and security annually and send out reminders. HIPAA is not just a once-a-year commitment, it is every day! Stay safe out there!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.
When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.
In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.
Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.
Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.
When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.
There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.
NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.
On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.
As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.
HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.
It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.
If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:
(1) mitigate fines under section 1176 of the Social
Security Act (as amended by section 13410);
(2) result in the early, favorable termination of an audit
under section 13411; and
(3) mitigate the remedies that would otherwise be agreed
to in any agreement with respect to resolving potential
violations of the HIPAA Security rule (part 160 of title 45 Code
of Federal Regulations and subparts A and C of part 164 of such
title) between the covered entity or business associate and the
Department of Health and Human Services.
Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.
Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.
This healthcare cybersecurity handout was created by the DHHS:
Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.
The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.
In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began. OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.
HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans. After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.
“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”
OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:
Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record. Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination. Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
Rainrock Treatment Center, LLC dba Monte Nido Rainrock (“Monte Nido”), a licensed provider of residential eating disorder treatment services in Eugene, OR, has taken corrective actions including one year of monitoring and has paid OCR $160,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.
All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!
Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.
The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.
We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.
Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.
Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.
Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.
Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.
The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.
Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.
Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.
Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.
Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.
Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.
Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.
Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.
Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.
After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
Do you have all your HIPAA policies and procedures?
Have your employees completed HIPAA training?
Do you have all your Business Associate agreements in place?
If you are unsure about any of these questions, you may be exposed to potential fines by the Office of Civil Rights (OCR) should you become part of a HIPAA complaint or investigation by a disgruntled employee or patient.
Our online HIPAA Keeper™ is designed to educate and protect covered entities such as medical practices, dental practices, and chiropractors. We also have a system just for business associates. How does it work? Just sign-up, enter your employee and business associate information, answer a comprehensive questionnaire, then implement, generate, and download all your documents required under HIPAA law in one easy ZIP file each year. You are required by law to keep your documents for 6 years. Our document package includes employee confidentiality agreements and business associate agreements signed via DocuSign, or you may upload your own. The package also includes a risk management plan, certificates of completion for employee training, as well as all policies and procedures required for HIPAA compliance. There is no better or easier way to document and maintain your HIPAA Compliance history.
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here: