When the providers and upper management understand the ramifications of violations, then the rest of the staff typically will follow the examples that are set in place. Because HIPAA Compliance starts at the top!
Violations happen when someone makes a mistake or is simply not thinking. HIPAA needs to be on the forefront of everyone who encounters patient information. Treat this information as if it were your own! HIPAA does not have to be difficult; it only takes a few precautionary measures to stay compliant.
Here are some helpful reminders:
Always speak in hushed tones. The person you are talking to may not be the one that will complain. Others may think if they can hear what you are saying to another patient, someone else will hear what you are saying to them.
When a patient makes a request, always ask this to be in writing. Remember there is a time limit on most requests, and you must answer within the time allotted. If a patient asks for a copy of their medical records, you have 30 days to answer the request, you may extend 30 days, but it must be explained to the patient why, and a date when they will be available must be determined.
With the new information blocking rules, patients now have the right to ask for their information in the format of their choice. This means if they want to download to an app or share with a third party, you are required to do so. If you do not have the technology in place to honor their request, advise the patient you are checking into this, and never tell them “no” you can’t honor their request. That may be considered information blocking.
Before emailing or faxing patient information, verify the number/address, and before you click send, verify AGAIN! If you are attaching documents, be sure the document you are sending is the correct information for that patient. If you are emailing protected health information (PHI), encryption should be utilized. The only time this is not required is if the patient has been informed that this is not a secure method of transmission, and they authorize you to send it anyway. Be sure to keep that email as your authorization.
Train your staff to verify that business associate agreements are in place before releasing any paper, digital, or electronic PHI. This can save you hundreds of thousands of dollars in fines should they mishandle PHI.
Educate your staff that looking into medical records that they do not have a need to do so, is grounds for termination. This includes family members, friends, neighbors, and celebrities. The monitoring of audit logs is a required standard under the security rule. If you are not reviewing your logs, then it is highly recommended to utilize an audit log monitoring company.
Remind staff that work computers are for business purposes only. It is so easy to introduce malware and viruses from the internet. Also, remind them NEVER click on links in emails unless you are expecting the email.
These are just a few items to keep in mind. Be sure to train your staff on privacy and security annually and send out reminders. HIPAA is not just a once-a-year commitment, it is every day! Stay safe out there!
To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:
It is hard to believe we are in 2021, but I am sure you are like the rest of us and glad to see 2020 in the rear-view mirror.
As we move into this new year, we need to look ahead and learn from what has happened in the past. Last month we informed you about many HIPAA violations that the Office for Civil Rights (OCR) had investigated. Most of these violations could have been prevented. In fact, I was talking with a colleague that owns an audit log monitoring system and he informed me that during the pandemic they saw a 90% increase in snooping into patient records of the same last name. Fortunately for his clients, this was immediately stopped, and the employee(s) were sanctioned. This made me want to remind you of a few requirements under HIPAA.
164.308(a)(1)(ii)(c) Sanction Policy – is a “required” standard under the HIPAA Security Rule. Employers are required by law to apply sanctions against employees who violate HIPAA, otherwise the employer could be fined.
164.308(a)(1)(ii)(d) Information System Activity Review – is another required standard. Which requires procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. A security incident can be best described as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
164.312(b) Audit Controls – is yet another required standard that states you must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). This standard goes hand in hand with Information System Activity Review.
What does this mean to you?
First, you must understand what is considered “normal” usage within your software/hardware that contains ePHI. Then you must monitor your systems for abnormal behavior. This is a HUGE time-consuming task and unless you are monitoring every employee, 24/7 you may miss something. We highly recommend utilizing a third party to do this for you. The company we work with has interfaces with over 60 EHRs and is fully automated. If they do not have an interface, they will create one, or show you how to upload the logs in a matter of minutes instead of hours. No more looking over lengthy audit log reports. You simply receive an alert when there is abnormal activity. Best of all, this protects your patient data and your practice from fines and penalties. If you would like to learn more about this service, use the contact us page.
If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance, contact us at 877.659.2467 or complete the contact us form.
When an employee is terminated, it is necessary to remove access to protected health information (PHI) immediately. It is just as important for employees not to share their log-in credentials with anyone. The City of New Haven, Connecticut found out the hard way. In January 2017 the New Haven Health Department filed a breach report stating that a terminated employee may have accessed a file on a New Haven computer that contained PHI (protected health information) of 498 individuals. During the OCR’s investigation they discovered the former employee had returned to the health department eight days after being terminated and logged into her old computer and downloaded patient information to a USB drive. They also uncovered that the former employee had shared her user credentials with an intern, who continued to use these credentials to access PHI.
As we have mentioned before, when you are under investigation, they review all of your compliance efforts and not just the incident that provoked the investigation. During this investigation, the OCR determined they failed to conduct a system wide risk analysis and failed to implement access controls and termination procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
This mistake cost the City of New Haven $202, 400 and they must implement a robust corrective action plan that includes two years of monitoring.
We find this difficult to talk about especially during these trying times. However, we feel it is important for all practices to know that HIPAA violations and fines have not disappeared during this pandemic.
Investigations take a long time and many practices think since they have not heard of small practices being fined that they are immune. Unfortunately, that is not true. Fines are smaller, but even the “small” fines hurt small practices. Could you afford $25K or $50K in fines?
The latest fine of $25K for ongoing HIPAA violations could have been more but the statute of limitations is 6 years. It was reported that they had failed to implement security rule policies and procedures, failed to provide their employees with security awareness and training, and they failed to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI they held.
We understand that after you conduct the HIPAA risk analysis, the hard work begins. Implementing your HIPAA policies and procedures and documenting your risk management plan are difficult and there never seems to be enough hours in the day to complete this task. This is a MUST!
To find out more about how our automated HIPAA compliance platform can help your organization click here:
Modern technology is both amazing and scary! Do you know what is being said about you or your organization? In today’s world we must keep up with what is being said on the World Wide Web (WWW) to make sure what the world sees and reads is not Fake News! It also helps you to uncover any broken links to your website that may frustrate potential new patients from actually finding you.
It is a proven fact that before a person buys nearly anything, they “Google” it. This includes finding services as well as looking for a new physician. Do you want to increase your patient visits? Are you being found? Is the information that is out there correct? We suggest searching for your name, practice name, address, and phone numbers to see what is listed. Also check the websites that rate physicians.
Do you have any social media sites? Did you know that someone else can create one for you? These are called “unofficial” sites in Facebook. Patients could be checking in and writing negative comments about your practice and you may not even know about it. That is why it is so important to keep an watchful eye! However, be very careful how you respond. Patients have the right to tell the world about themselves but healthcare providers do not!
Before you venture into any marketing campaigns, make sure you are not violating any privacy laws. If you decide to hire a marketing company or reputation management service; insist on a company that is well versed in the medical arena. Special HIPAA regulations are required in marketing and we have heard some practices being charged with HIPAA violations due to their service provider. Also, remember to check your state laws as well!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”