Information Blocking Rule – Best practices to prepare now

It is the start of a new year and one thing we know for sure; nothing stays the same. Rules change, technology changes, and we must keep up. We wrote about the new Information Blocking Rule last July, but we have found many practices still do not understand what this means to them.

When the EHR Meaningful Use criteria was introduced in 2013, CMS stated that practices did not have to implement specific technology if a patient requested their information in a format that they did not have in place. This has all changed with the Information Blocking Rule that was passed in 2021. Part of the Interoperability Standard requires medical providers and health information companies to share patient data upon patient request. This Rule makes it very clear when it comes to patients and the control they have over their information. This is also known as “right of access”.

In the past EHRs was hesitant to open their portals due to security issues. Now, it is required to have security measures in place and share the data. There are some exceptions, but be forewarned, they are vague, and could be misinterpreted.

Penalty guidelines are in place for IT operators and health information companies, they are still working on the guidelines for medical providers. This gives you a limited amount of time to get ready for heavy enforcement.

Patients are now permitted to request their information be made available in the format of their choice. This includes to a third-party app installed on their mobile devices. These apps should protect patient data by supporting secure access through authentication processes similar to what the financial industries use.

When a patient makes a request and you do not have the technology in place to grant their request, you are obligated to comply with their request if possible or contact your technology vendors to see if this can be accomplished. If you do not, this could be considered Information Blocking. We recommend contacting your EHR and starting a conversation with them to ensure they are working on interfaces with other EHRs and some of the most common mobile apps.

There are some companies working on this technology, from what I have heard, they are limited. I am sure more will be adding this service as we progress. Before you hire a company to “develop” an interface for you, read below.

NOTE: If a patient requests their medical provider to share their information with another entity that is not a covered entity or a business associate, the information is not subject to the HIPAA rules. For example, the covered entity would not have HIPAA responsibilities or liability if such an app that the patient designated to receive their ePHI later experiences a breach. If a patient requests a covered entity to send their ePHI using an unsecure method the covered entity must grant the disclosure if it is readily available in the form and format used by the app. However, it is highly recommended to advise the patient of the lack of security so they can make an informed decision.

On the other hand, if the app was developed for, or provided by or on behalf of the covered entity and it creates, receives, maintains, or transmits ePHI on behalf of the covered entity, the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the patient selects an app that the medical provider uses to provide services to their patients involving ePHI, the medical provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received. If you choose to develop or work with a company that has developed an app, be sure to obtain a BA agreement and review their technology security to ensure they are following the HIPAA requirements.

As we venture into this new territory, there will bad actors trying to “jump” on the healthcare wagon. As always, do your research before using any new applications or vendors. Ask your colleagues and most of all, check out their credentials.

If you need more information about the Information Blocking Rule or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

More fines for Providers for not providing timely right of access

Medical professionals have had a rough year and a half. This has been trying times for so many and we have had to learn to adapt to new ways of running practices. I was hoping to be able to share some good news during this time of thankfulness and joyous season, but the Office for Civil Rights do not take breaks… This is not meant to be disrespectful but to inform you that when a patient files a complaint, the OCR takes that seriously and will open an investigation. So, during this holiday season, please stay vigilant to patient requests. Be sure to have the patient make the request in writing and no sticky notes allowed! DOCUMENTATION is your friend, not your enemy. Make sure this task is completed in a timely manner. These forms are included in your HIPAA compliance program if you do not have one already in use.

The Office for Civil Rights is VERY interested in how timely you answer a patient’s request to access their medical records. This is known as “Right of Access”. A patient has the “right” to request a copy of their medical records and this should be provided within 30 days, or if additional time is needed, a 30-day extension may be permitted if the patient has been notified of the reason and the delay with a date that the records will be made available.

In September the OCR announced the twentieth settlement for right of access violations. Earlier this month, they announced five more.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of five investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to twenty-five since the initiative began.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

HIPAA gives people the right to see and get copies of their health information from their healthcare providers and health plans.  After receiving a request, an entity that is regulated by HIPAA has, absent an extension, 30 days to provide an individual or their representative with their records in a timely manner.

“Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law,” said OCR Director Lisa J. Pino. “OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”

OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

  • Advanced Spine & Pain Management (ASPM), which provides management and treatment of chronic pain services in Cincinnati and Springboro, Ohio, has agreed to take corrective actions that include two years of monitoring, and has paid OCR $32,150 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Denver Retina Center, a provider of ophthalmological services in Denver, CO, has agreed to take corrective actions that includes one year of monitoring and has paid OCR $30,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.
  • Dr. Robert Glaser, a cardiovascular disease and internal medicine doctor in New Hyde Park, NY, did not cooperate with OCR’s investigation or respond to OCR’s data requests after failing to provide a patient with a copy of their medical record.  Dr. Glaser waived his right to a hearing and did not contest the findings of OCR’s Notice of Proposed Determination.  Accordingly, OCR closed this case by issuing a civil money penalty of $100,000.
  • Wake Health Medical Group, a provider of primary care and other health care services in Raleigh, NC, has agreed to take corrective actions and has paid OCR $10,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.

There are many other fines being assessed that can be reviewed on the HHS/OCR website. This is not meant to scare you but rather inform you what they are doing so you can stay safe and prosperous.

All of us at Aris Medical Solutions want to wish everyone a safe and wonderful holiday season. We do not take breaks either, we are here to help you! 

If you need more information or would like a live demo of our Automated HIPAA Compliance platform, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

HIPAA Requirements and Software updates

Many medical providers are so busy trying to run a successful practice they sometimes forget the “technical” side of their business. Hackers know this and capitalize on it. Lately in the news, we have heard about Microsoft and Apple vulnerabilities that have been exploited by spammers and hackers. Therefore, it is SO important to stay on top of technology updates!

Most practices utilize an IT company of some sort, we recommend an IT company that specializes in network security. We do not recommend the practice trying to do this themselves unless the person assigned to the task is well versed in data security.

The Office for Civil Rights recommends an annual HIPAA risk analysis be conducted because technology changes so fast, by the time you implement a new system, an update is probably available. Speaking of the Office for Civil Rights, over the last few years, they have added hundreds of new auditors and now they are advertising for multiple new attorneys to enforce HIPAA. “Who May Apply: This vacancy announcement is open to all US Citizens and may be used to fill multiple positions”.

We have an automated HIPAA Compliance platform to help medical practices and their business associates with the daunting task up updating HIPAA compliance. To learn more about why you should and how to protect your data, read more below.

Over the last 12 years we have learned so much from our clients and have created a system that came out of their suggestions. For example, keeping all policies in one Step so you can easily scroll down to locate the one you need. Also, being able to view the state breach notification requirements. This is especially helpful for those practices that have multiple state locations or patients in more than one state. As we have been onboarding clients, we have had great feedback on the look and ease of use. Here is some information for your review.

Aris’ automated HIPAA system will enable your organization to maintain the HIPAA compliance documentation is an easy-to-follow format. As you know, it only takes one patient complaint, a disgruntled employee, or a data breach to start an investigation from the Office for Civil Rights (OCR) and they sometimes include the Office of Inspector General (OIG) and the Department of Justice (DOJ). Documentation is a main factor in avoiding a desk audit or passing an audit.

Our new system is better than ever, you have the ability to upload your own documents or implement and customize the ones that are included. Plus, as new rules and laws are introduced, we send out notifications of updates so you can review and approve the new policies. For instance, the Information Blocking rule is included, and we are watching for the other updates that are to follow. If you are not familiar with this, our new online HIPAA compliance system may be of interest to you.

Training your employees has never been easier, after you enter your employees during the onboarding process, you can send them to take an online HIPAA training course that is included. Once they complete the course, they will be required to take a short quiz and their certification of completion is conveniently stored within the system should you be audited.

The entire system educates the client every step of the way to ensure you understand what is required under HIPAA. If you have questions about HIPAA or need guidance, we offer a support ticketing system that is included with our monthly subscription.

Once you create your login, it is easy to navigate! In the Profile section, you will add employees, business associates, and electronic devices. You may use an excel spreadsheet to upload each section or enter individually. From here you can send employees the Confidentiality and Acceptable Use agreement via DocuSign to ensure employees understand what is acceptable and what is not permitted. If you do not have a business associate agreement in place will all your vendors, you have the option of sending one via DocuSign or printing a copy and sending one instead. The inventory list is a great way to keep track of which devices have had ePHI located on them, so you know the method to retire equipment when the time comes.

Step 1 – You will answer a series of questions to uncover risks and vulnerabilities. A risk management plan will be generated automatically that outlines what is needed to mitigate the vulnerabilities that were uncovered. You may modify what is recommended if you choose.

Step 2 – Security Incident Procedures and Breach Notification Plan. You will select which states your patients are located and the state law will automatically be populated. This plan also includes the links needed in the event of a data breach large or small.

Step 3 – You will be asked a series of questions about whether or not you have policies and procedures in place that meet the HIPAA Privacy and Security Rule requirements. Each policy will have a side note of education to ensure you understand what is required to be included. We suggest adopting the policies included and modify to meet your specific needs, then the policies are automatically dated and approved.

Step 4 – HIPAA Forms and Documentation. You may have forms you are already using; you may upload them to this Step to keep all your forms organized. There also many forms you may not be aware that is required under HIPAA, they are included and available for download in a Word format. You can customize them with your information and logo.

Step 5 – Business Associate agreements. During the creation of your profile, you are asked to add your business associates and upload any existing business associate agreements and HIPAA compliance documentation you may have. You have the option of sending a business associate a BA agreement via DocuSign or you may download a Word format and customize if needed. This is also useful if you have a Business Associate that uses Subcontractors, you would be able to use this document.

Step 6 – Contingency Plan. You may upload your own contingency plan, or you may choose to complete the one included in this Step.

Step 7 – This step contains a wealth of information. You can take a leisurely stroll to learn more about the HIPAA rules and other requirements that may affect your organization. You have the option to include which areas to include in your download. We also have a list of affiliates that you may need to complete your compliance requirements.

After you have completed the 7-Steps, you may simply download your package to share your policies and procedures with your employees.

When you are ready to get started all you have to do is click on the Order Now button on the main page of our website. Included is an online 1 hour live onboarding meeting to explain how to use the system.

To find out more about how our automated HIPAA compliance platform can help your organization click the contact us tab and scroll down to schedule a demo.

“Simplifying HIPAA through Automation, Education, and Support”

Security Rule requirements, Part 4, Evaluations 45 CFR § 164.308(a)(8)

Many practices think once they have conducted a risk analysis, they are done with their HIPAA compliance efforts. Unfortunately, a risk analysis is just the beginning! You must document your ongoing HIPAA efforts through evaluations.

45 CFR § 164.308(a)(8) Evaluation – HIPAA requires organizations to review technical and non-technical aspects of their compliance efforts based on their original risk analysis. These evaluations could be based on operational or environmental changes that affect the security of ePHI.

Setting a time frame in which to perform your evaluations will be essential in determining if you are adequately protecting ePHI. Organizations may perform these processes annually or as needed (e.g., bi-annual or every 3 years) depending on circumstances of their environment. An annual evaluation is recommended due the ever-changing world of technology. As software/hardware are outdated or replaced, the new devices must be reviewed to ensure they are HIPAA compliant and installed properly. Of course, if you have a major change in your organization or a data breach you may need to reorganize your quarterly plans and conduct a new risk analysis. Keep in mind, should you suffer a data breach and you have not updated your risk analysis and a vulnerability is discovered; you could be heavily fined. It is important to know if the security plans and procedures you have implemented continue to adequately protect ePHI. Some organizations do not understand the need in hiring an IT vendor with the thoughts they can do this themselves. Depending on the services that are being offered, you could be making a huge mistake. An IT vendor that specializes in data security for healthcare is essential in protecting your data and your assets.

We recommend reviewing certain aspects each quarter of each year. For instance, the first quarter review your Risk Management Plan to ensure everything is documented. It may not be necessary to update your Breach Notification Plan, but we suggest reading it to remind yourself what to do in the event of a data breach.

The second quarter would be a good time to review your Contingency Plan and make any updates. You may need to request additional information from your IT department or vendor.

 

The third quarter review your HIPAA Privacy Rule Policies, Procedures and Documentation. Most of these will not need any updates, but as always, it is recommended to review them, just in case something has changed.

 

The fourth quarter review your HIPAA Security Rule Policies, Procedures and Documentation. As in the privacy section, you may not need to update very many, but it is required under HIPAA to review them. Pay close attention to the Technical Safeguards section, as this may be where changes need to be made.

We also recommend reviewing your insurance policies and vendor contracts at least 60-90 days before they renew. This should give you ample time to review and decide if you have adequate coverage. This includes medical malpractice, life, and disability for key personnel. We also suggest reviewing your contract with your IT vendor at least 90 days before the contract terminates, some vendors add stipulations in the contract that automatically locks you in an additional year.

Cyber/breach insurance should be reviewed with an agent that specializes in this type of coverage; the average policy may not be enough to protect you.

 

Aris has been busy creating an automated HIPAA compliance package. With the new program, you will be able to update your plan and your policies quickly and easily. With the documentation within the system, you will be able to demonstrate your on-going HIPAA compliance efforts. Watch for the launch annoucement!

 

If you need assistance with Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.

 

“Simplifying HIPAA through Partnership, Education, and Support”

Cosmetic Practice Fined – No one is immune from HIPAA

April 15, 2021

By Suze Shaffer | Aris Medical Solutions

Recently a cosmetic practice was fined $30,000 to settle potential HIPAA Privacy Rule violations. In the past many practices believed if they did not accept insurance payments (considered as a “transaction” under HIPAA), they were immune from the privacy rule. This may not be the case. There is a section in the rule that states “Other transactions that the Secretary may prescribe by regulation”.  HIPAA compliance is a balancing act, are you willing to lose $30K of your hard-earned money to test the system?

This investigation started with a compliant from a patient that had requested their medical record and did not receive them in a timely manner. Under the HIPAA Privacy Rule, the provider must respond to a patient’s request for access no later than 30 calendar days after the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days if they provide the individual (within the initial 30-day period) with a written statement for the reason of the delay and include a date when the entity will have the information available. See 45 CFR §164.524(b)(2). Unfortunately for this practice, this was not handled in a timely manner. Therefore, an investigation was launched.

Let us review how this happens.

Once a complaint is filed to the Office for Civil Rights (OCR), the OCR will determine if the complaint falls within their duties to investigate. Once an investigation has been opened, the OCR will contact the practice for their documentation surrounding the incident. Depending on the documentation that is submitted will determine if a desk audit is warranted. Therefore, documentation is SO important, you may be able to avoid a desk audit if you supply the appropriate documents.

During a desk audit more than likely, you will be asked for documentation of what preventative measures you had in place before the incident and what you have implemented to prevent this from happening again. While you are being investigated the OCR may also review your compliance in other areas. If they find discrepancies, you could be fined for those as well. HIPAA encompasses a large range of requirements. Patient privacy, patient rights, and data security to name a few. I will not go into detail during this notification since we are sharing the security rule requirements in other messages.

Each resolution agreement that is issued by the HHS/OCR outlines the deficiencies they uncover. Most of them include the lack of a risk analysis, risk management, training, business associate agreements, and policies and procedures. During this investigation, other violations were uncovered and included the social security act was named in the resolution agreement: Section 1128A of the Social Security Act (42 U.S.C. § 1320a- 7a) a.

From this, I hope you can understand the importance of HIPAA compliance. Because one simple oversight can cause this much heartache. Patient privacy, patient rights, and data security is as important as caring for your patients. We have just learned that any entity that has patient data can be investigated and fined for violations under HIPAA.

Tell your friends and colleagues to ensure everyone understands no one is immune from HIPAA if you have patient data. Fines are fierce and not worth taking a chance by thinking “it won’t happen to me”.

If you need assistance with HIPAA Training, Risk Management, or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form. 

 

“Simplifying HIPAA through Partnership, Education, and Support” 

Workstation Security

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

  1. Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
  2. Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
  3. Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
  4. If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
  5. Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
  6. Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
  7. HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC