HIPAA Compliance Officer Responsibilities

Most practices cannot afford to hire a HIPAA Compliance Officer. So, practice owners often assign their Office Manager or their Practice Administrator for the HIPAA Compliance Officer Responsibilities. These responsibilities are so much more than just a title. Compliance Officers responsibilities include creating, implementing, maintaining, and enforcing compliance. Since they are not trained as a Compliance Officer, many times, HIPAA is placed on the back burner. There is not enough time in the day to keep up with the responsibilities of the “normal” work. Then they need to address the elephant in the room called “HIPAA”. The easiest way to manage this is to hire a HIPAA consulting company that will do the heavy lifting and be there to assist when needed. Policies, procedures, and documentation is the backbone of HIPAA compliance. This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date. For example, information blocking and exceptions have been added to the rules, and the right of access time limit may be reduced to 15 days.

If you do not have a company to assist you, let Aris Medical Solutions offer you a complimentary consultation. We want to be your HIPAA partner!

Here are some areas that need to be implemented:

  1. Conduct a system wide risk analysis. This will include administrative, physical, and technical safeguards. There are free tools available to assist you, but keep in mind this is only a starting point. These tools do not include the remediation processes, policies and procedures, and documentation forms.
  2. From the Risk Analysis, you will create a Risk Management Plan to document your mitigation process. This document will also include the reasonable and appropriate safeguards you have in place.
  3. All entities (medical practices and business associates) that access or store Protected Health Information (PHI) must monitor audit logs from either their EHR/EMR software or a device which connects a user to Electronic Protected Health Information (ePHI). The purpose behind this requirement is to look for abnormal activity. This abnormal activity could be the result of a rogue employee or a cyber-attack. This is a time-consuming task and you may need to hire a third party to monitor these logs for you.
  4. Every practice must have a Breach Notification Plan and Security Incident Form. Most importantly, you must have an IRT (Incident Response Team) in place that includes an IT Professional, a Forensic IT Company, and a Healthcare Attorney along with your own personnel. After you suffer from a Data Breach is not the time to put this team together. Time is of the essence when notifying your patients. Federal law states you have 60 days to notify your patients that are involved in a Data Breach. However, some states are much more stringent, therefore State law would overrule Federal law. Some states now even require the State Attorney General be notified as well. Know your state law! For example, Florida state law requires a 30-day notice.
  5. Even if you utilize an IT vendor that is responsible for your data, you will still need to have a contingency plan in place in the event of a disaster or data problem. You will work hand in hand with your vendor, but it is your responsibility to have the documentation available.
  6. Medical practices that utilize the services of business associates are required under HIPAA to ensure the business associate is HIPAA compliant. Be sure to obtain a signed business associate agreement (BAA) with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements and information blocking criteria. If a practice does not have a BAA in place and the vendor causes a data breach, the practice may receive a fine for the violation. With a BAA in place, the practice may bear the financial burden of the breach but may not receive a fine. We recommend a BAA with indemnification and requirement that the business associate carry cyber liability insurance. Keep in mind, if your business associate utilizes subcontractors, the HIPAA rules apply to them as well.
  7. The Compliance Officer will need to work with their IT department/vendor to determine the flow of data in and out of your systems. With this information you will be able to determine where ePHI is located. Your network configuration will define which technical safeguards need to be in place. Some of these are “required” under HIPAA and others are “addressable”. Keep in mind, addressable does not mean optional. It means that you must have reasonable and appropriate safeguards in place based on your data flow and size of your organization. Although the Compliance Officer may not understand the technical requirements, it is required for the Compliance Officer to have the documentation. Also, what procedures and documentation will be needed when it is time to replace computers and equipment. Documentation includes reports from the IT department/vendor. These reports can be utilized to document the recognized security practices you have in place such as: status reports, access logs, security patches, and an inventory of devices. For instance, even though encryption is not a “required” security standard, if your server, computer, or laptop is lost or stolen and it is not encrypted, you could be faced with a $1.9M fine.

Policies, procedures, and documentation are the backbone of HIPAA compliance.

This includes both the HIPAA privacy and security rules. Unfortunately, the rules can change. You must keep your policies up to date.

Many organizations have had a data breach or have been hit with ransomware. How likely is your staff to give out information? If a stranger walked up to you and asked you to verify your identity, would you give them any information? Of course not, but that is exactly what we are doing when we receive an email, text message, or phone call from someone or somewhere, we trust that it is legitimate. In the old wild wild west, you could see danger on the horizon and prepare. The world wide web (WWW) is the new wild wild west, now dangers are invisible, and you have no way to prepare unless you have processes in place.

When a healthcare organization has a breach, it typically takes about 2 years for the Office for Civil Rights to complete their investigation. During that time, the organization will be required to submit documentation on their data security and what they will do to prevent this from happening in the future.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime is on the rise. The hackers have become very sophisticated in their attacks!

The OCR is famous for saying… If it’s not documented, it didn’t happen and doesn’t exist. Documentation must be stored for a minimum of six (6) years; however, it can be digitally stored and not necessarily on paper.

Let’s all work together to keep patient data safe and secure. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA and Emergencies – How to Respond

First, I hope that all of you and your loved ones are safe. Fiona and Ian have affected many places, and many have suffered so much. Prayers for all…

HIPAA Applies Only to Covered Entities and Business Associates

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. The HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. Keep in mind, there may be other state or federal rules that apply.

HIPAA requires every healthcare facility and business associate to have a Contingency plan in place. Disasters come in a variety of circumstances and additional challenges on health care providers. Questions often arise about the HIPAA regulations to share PHI with friends and family, public health officials, and emergency personnel. The HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. Keep in mind the HIPAA Privacy Rule is not suspended during a public health or other emergency, however, the Secretary of Health and Human Services may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.

Under these circumstances, the Secretary also has the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • the requirement to honor a request to opt out of the facility directory.
  • the requirement to distribute a notice of privacy practices.
  • the patient’s right to request privacy restrictions.
  • the patient’s right to request confidential communications.

When the Secretary issues such a waiver, it only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration

(2) to hospitals that have instituted a disaster protocol

(3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

HIPAA Privacy and Disclosures in Emergency Situations

Under the HIPAA Privacy Rule, a waiver is not required to share protected health information (PHI) for the following purposes and under the following conditions.

Treatment

Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Public Health Activities

The HIPAA Privacy Rule recognizes the need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without an authorization, for example:

  • To a public health authority, A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. For example: Centers for Disease Control and Prevention (CDC) or a state or local health department.
  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Minimum Necessary

A covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish thepurpose.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification

A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.

  • The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
  • If the person is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
  • For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

A covered entity may share PHI with disaster relief organizations such as the American Red Cross, that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. A patient’s permission is not required in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger

HIPAA expressly defers to the professional judgment of health care professionals in making determinations about the nature and severity of the threat to health or safety. Covered entities may share PHI with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.

Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Reports to the media about an specific patient, or the disclosure of specific information about treatment of a specific patient, such as tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative, who is a person legally authorized to make health care decisions for the patient).

Business Associates

A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Safeguarding Patient Information

In an emergency, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information. Safeguard all patient information as if it were your own.

If there are other areas that you have questions, please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Privacy Facts for Medical Offices

There has been some confusion about when and how to share patient information. I thought it might be a good time to review some of the facts from the HIPAA Privacy and Security Rules.

Here are some highlights:

  1. The Privacy Rule does not require a signed consent form before sharing information for treatment.
  2. Medical providers can share information for treatment purposes without a signed patient authorization.
  3. The Privacy Rule permits communication with patients, providers, and others by e-mail, telephone, or facsimile, with the implementation of safeguards to protect patient privacy. During your risk analysis you will have discovered how data flows in and out of your network so you can apply reasonable and appropriate safeguards.
  4. Medical providers may use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule.
  5. HIPAA requires reasonable safeguards to protect the privacy of protected health information (PHI) from impermissible uses or disclosures, including when providing telehealth services.
  6. Medical providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services.
  7. The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line. Keep in mind traditional landlines are being replaced with Voice over Internet Protocol (VoIP) and mobile technologies that use the Internet, cellular, and Wi-Fi. Medical providers using telephone systems that transmit ePHI need to apply the HIPAA Security Rule safeguards to those technologies.
  8. Medical providers must enter into a business associate agreement (BAA) with a telecommunication service provider (TSP) only when the vendor is acting as a business associate.
  9. If using a telephone to communicate with patients, a BAA is not required with a TSP that has only transient access to the PHI it transmits, because the vendor is acting merely as a conduit for the PHI.
  10. The Privacy Rule does not cut off all communications between medical providers and the families and friends of patients. If the patient does not object, you may:
    • share needed information with family, friends, or anyone else a patient identifies as involved in his/her care.
    • disclose information when needed to notify a family member or anyone responsible for the patient’s care about the patient’s location or general condition.
    • share the appropriate information for these purposes even when the patient is incapacitated if doing so is in the best interest of the patient.
  11. Medical providers may report child abuse or neglect to appropriate government authorities. 
  12. Patient right of access is another area that has been confusing for medical practices. When possible, you should obtain the request for medical records in writing. However, you may not require a patient to come to the office to complete the authorization if it would cause a hardship, or if they do not have access to email or a fax machine. You must still verify that the person requesting the information has the right to do so. You may do this by asking verification questions and/or calling them back at the number you have on file.

If there are other areas that you have questions about please do not hesitate to contact us!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA changes and updates for 2022-2023

Since HIPAA’s inception there have been several updates over the years. As technology changes, so must some the of HIPAA rules. We have not seen any major changes since 2013 when the Omnibus Rule gave HIPAA teeth and enforcement became real.

During 2019 the United States Department of Health and Human Services (HHS) had requested comments on 54 questions from providers. In December 2020 HHS issued a Notice of Proposed Rulemaking that outlined several changes to the HIPAA Privacy Rule based on the response they received in 2019. In 2021 HHS again requested comments on the proposed HIPAA changes, however the Final Rule has not been published yet.

The Office for Civil Rights (OCR) has been implementing many files for violations of the HIPAA Right of Access when access to medical records in the designated record set is not provided in a timely manner. With these new proposed changes, the time frame maybe reduced. 

The proposed changes strengthen the requirements for providers to offer patients access to their PHI. This also includes data sharing between facilities, technology partners, and mobile apps. 

Some of these changes to HIPAA in 2022 are likely to be implemented, but it may take until 2023 for those changes to become enforceable. We will be updating our policies to reflect these changes. At that time, you will receive an email from Aris requesting to review and approve changes and/or new policies. It is suggested to review these changes and update your staff. Many of these changes will directly affect how they interact with your patients.

We are updating our HIPAA training to include the new rules to ensure all staff members understand these changes. We will be dividing the training into two sessions since there is so much to cover. One session will cover the Privacy Rule and the other session will discuss the Security Rule. This will help educate everyone on the new rules and protect your practice. 

The proposed updates to the HIPAA Privacy Rule are as follows:

  • individuals’ rights to inspect their PHI in person, which includes taking notes or capturing images of their PHI;
  • shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • clarifying the form and format required for responding to individuals’ requests for their PHI, including when business associates are involved;
  • requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
  • reducing the identity verification burden on individuals exercising their access rights;
  • creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
  • limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR; 
  • specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
  • amending the permissible fee structure for responding to requests to direct records to a third party; and
  • requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations. 

  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
  • Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
  • Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
  • Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
  • Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
  • Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
  • Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

Effective and Compliance Dates

The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. The Department of Health and Human Services (HHS) previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions. 

HHS requested comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the HHS requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.

To give you some idea of how serious this can be, see below the tiered penalty structure:

Tier 1: Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA and had reasonably tried to adhere to the HIPAA rules: $100 per violation, with an annual maximum of $25,000. 

Tier 2: HIPAA violation due to reasonable cause and should have been aware (but was not due to willful neglect), even with the HIPAA rules they had in place: $1,000 per violation, with an annual maximum of $100,000.

Tier 3: HIPAA violation due to willful neglect of the HIPAA rules, but violation is corrected within the required time period: $10,000 per violation, with an annual maximum of $250,000.

Tier 4: HIPAA violation is due to willful or wanton neglect and no attempt to correct: $50,000 per violation, with an annual maximum of $1.5 million.

HIPAA has teeth and the Office for Civil Rights (OCR) is heavily enforcing fines against violations. Let’s work together to avoid this! 

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Information Blocking Rule – Best practices to prepare now

It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.

When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.

In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.

Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.

Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.

When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.

There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.

NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.

On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.

As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

More fines for Providers for not providing timely right of access

Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.

The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.

In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans.  After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

  • Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record.  Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.  Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
  • Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.

All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you! 

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Requirements and Software updates

Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!

Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.

The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.

We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.

Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.

Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.

Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.

Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.

The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.

Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.

Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.

Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.

Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.

Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.

Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.

Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.

Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.

After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Security Rule requirements, Part 4, Evaluations 45 CFR § 164.308(a)(8)

Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.

45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.

Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.

We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.

The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.

 

The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.

 

The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.

We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.

Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.

 

Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!

 

If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

 

“Simplifying HIPAA through Partnership, Education, and Support”

Cosmetic Practice Fined – No one is immune from HIPAA

April 15, 2021

By Suze Shaffer | Aris Medical Solutions

Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”.  HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?

This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.

Let us review how this happens.

Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.

During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.

Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.

From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.

Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.

If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form. 

 

“Simplifying HIPAA through Partnership, Education, and Support” 

Workstation Security

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

  1. Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
  2. Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
  3. Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
  4. If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
  5. Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
  6. Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
  7. HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC