Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Tag: HIPAA Compliance Officer

HIPAA Compliance Officer Responsibilities

Posted bySuze Shaffer

Most practices cannot afford to hire a HIPAA Compliance Officer. So, practice owners often assign their Office Manager or their Practice Administrator for the HIPAA Compliance Officer Responsibilities. These responsibilities are so much more than just a title. Compliance Officers responsibilities include creating, implementing, maintaining, and enforcing compliance. Since they are not trained as a Compliance Officer, many times, HIPAA is placed on the back burner. There is not enough time in the day to keep up with the responsibilities of the “normal” work. Then they need to address the elephant in the room called “HIPAA”. The easiest way to manage this is to hire a HIPAA consulting company that will do the heavy lifting and be there to assist when needed. Policies, procedures, and documentation is the backbone of HIPAA compliance. This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date. For example, information blocking and exceptions have been added to the rules, and the right of access time limit may be reduced to 15 days.

If you do not have a company to assist you, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

Here are some areas that need to be implemented:

  1. Conduct a system wide risk analysis. This will include administrative, physical, and technical safeguards. There are free tools available to assist you, but keep in mind this is only a starting point. These tools do not include the remediation processes, policies and procedures, and documentation forms.
  2. From the Risk Analysis, you will create a Risk Management Plan to document your mitigation process. This document will also include the reasonable and appropriate safeguards you have in place.
  3. All entities (medical practices and business associates) that access or store Protected Health Information (PHI) must monitor audit logs from either their EHR/EMR software or a device which connects a user to Electronic Protected Health Information (ePHI). The purpose behind this requirement is to look for abnormal activity. This abnormal activity could be the result of a rogue employee or a cyber-attack. This is a time-consuming task and you may need to hire a third party to monitor these logs for you.
  4. Every practice must have a Breach Notification Plan and Security Incident Form. Most importantly, you must have an IRT (Incident Response Team) in place that includes an IT Professional, a Forensic IT Company, and a Healthcare Attorney along with your own personnel. After you suffer from a Data Breach is not the time to put this team together. Time is of the essence when notifying your patients. Federal law states you have 60 days to notify your patients that are involved in a Data Breach. However, some states are much more stringent, therefore State law would overrule Federal law. Some states now even require the State Attorney General be notified as well. Know your state law! For example, Florida state law requires a 30-day notice.
  5. Even if you utilize an IT vendor that is responsible for your data, you will still need to have a contingency plan in place in the event of a disaster or data problem. You will work hand in hand with your vendor, but it is your responsibility to have the documentation available.
  6. Medical practices that utilize the services of business associates are required under HIPAA to ensure the business associate is HIPAA compliant. Be sure to obtain a signed business associate agreement (BAA) with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements and information blocking criteria. If a practice does not have a BAA in place and the vendor causes a data breach, the practice may receive a fine for the violation. With a BAA in place, the practice may bear the financial burden of the breach but may not receive a fine. We recommend a BAA with indemnification and requirement that the business associate carry cyber liability insurance. Keep in mind, if your business associate utilizes subcontractors, the HIPAA rules apply to them as well.
  7. The Compliance Officer will need to work with their IT department/vendor to determine the flow of data in and out of your systems. With this information you will be able to determine where ePHI is located. Your network configuration will define which technical safeguards need to be in place. Some of these are “required” under HIPAA and others are “addressable”. Keep in mind, addressable does not mean optional. It means that you must have reasonable and appropriate safeguards in place based on your data flow and size of your organization. Although the Compliance Officer may not understand the technical requirements, it is required for the Compliance Officer to have the documentation. Also, what procedures and documentation will be needed when it is time to replace computers and equipment. Documentation includes reports from the IT department/vendor. These reports can be utilized to document the recognized security practices you have in place such as: status reports, access logs, security patches, and an inventory of devices. For instance, even though encryption is not a “required” security standard, if your server, computer, or laptop is lost or stolen and it is not encrypted, you could be faced with a $1.9M fine.

Policies, procedures, and documentation are the backbone of HIPAA compliance.

This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date.

Many organizations have had a data breach or have been hit with ransomware. How likely is your staff to give out information? If a stranger walked up to you and asked you to verify your identity, would you give them any information? Of course not, but that is exactly what we are doing when we receive an email, text message, or phone call from someone or somewhere, we trust that it is legitimate. In the old wild wild west, you could see danger on the horizon and prepare. The world wide web (WWW) is the new wild wild west, now dangers are invisible, and you have no way to prepare unless you have processes in place.

When a healthcare organization has a breach, it typically takes about 2 years for the Office for Civil Rights to complete their investigation. During that time, the organization will be required to submit documentation on their data security and what they will do to prevent this from happening in the future.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime is on the rise. The hackers have become very sophisticated in their attacks!

The OCR is famous for saying… If it’s not documented, it didn’t happen and doesn’t exist. Documentation must be stored for a minimum of six (6) years; however, it can be digitally stored and not necessarily on paper.

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

Responsibilities of a HIPAA Compliance Officer

Posted bySuze Shaffer

While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.

We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.

With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.

Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.  I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC