We find this difficult to talk about especially during these trying times. However, we feel it is important for all practices to know that HIPAA violations and fines have not disappeared during this pandemic.
Investigations take a long time and many practices think since they have not heard of small practices being fined that they are immune. Unfortunately, that is not true. Fines are smaller, but even the “small” fines hurt small practices. Could you afford $25K or $50K in fines?
The latest fine of $25K for ongoing HIPAA violations could have been more but the statute of limitations is 6 years. It was reported that they had failed to implement security rule policies and procedures, failed to provide their employees with security awareness and training, and they failed to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI they held.
We understand that after you conduct the HIPAA risk analysis, the hard work begins. Implementing your HIPAA policies and procedures and documenting your risk management plan are difficult and there never seems to be enough hours in the day to complete this task. This is a MUST!
To find out more about how our automated HIPAA compliance platform can help your organization click here:
The Office for Civil Rights (OCR) back in March relaxed it’s enforcement for non-compliance with regards to telemedicine. They permitted the use of audio/video communication applications such as Facetime, Google hangouts, Zoom, and Skype without risk that a provider could be issued a penalty for non-compliance. Providers were encouraged to inform their patients of potential privacy risks and do their best to engage encryption and whatever means they had available to secure the data.
Even though some states are experiencing a surge in more COVID cases, medical providers are expected to seek HIPAA qualified products and obtain a business associate agreement. Telehealth providers should now have an agreement ready that will include state law provisions and data security information. Medical providers should read this agreement carefully to ensure the data security is outlined and meets their state law breach notification guidelines. Ideally, it would be best for the vendor to sign YOUR business associate agreement if you have one that has outlined security requirements.
If a medical provider does not obtain a signed business associate from a vendor, the medical provider should terminate using the vendor. Just because a vendor doesn’t sign a BAA it does NOT release them from liability. It just means the liability falls on the medical provider for not obtaining the signed document. Furthermore, the medical provider may receive fines for non-compliance should the business associate suffer a data breach or security incident. These documents are extremely important!
Many thanks to all our healthcare workers for staying strong throughout these trying times.
If you would like more information or need a business associate agreement, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
We all have been annoyed at one time or another when we arrive at a counter or a place of business and the person is on their cell phone and we are ignored. Of course, that is not very good customer service. When you work in healthcare, it goes to an all new level. HIPAA doesn’t restrict the use of cell phones, except how they are secured and protected. However, this is not what we are discussing here today.
We are hearing about complaints from patients accusing employees of taking pictures of their information. This particular situation the employee was accused of taking pictures of the computer screen and the patient told the doctor. This afforded the doctor the opportunity to address the situation and avoid a formal complaint to the Office for Civil Rights (OCR). We recommend employees leaving their cell phones out of sight of patients unless the phone is used for business purposes within the practice. Some organizations are even adding cell phone lockers. I can remember before we had cell phones, we actually gave out our work number to anyone who needed to get in contact with us! Now you know how old I really am! Joking aside, this is a very serious matter that could cause the OCR to open an investigation. Keep in mind, when you are being investigated by the OCR, they do not “just” investigate “that” situation. They look at your overall compliance plan. Where are your policies? What were your procedures before, during, and after the occurrence. What have you done to prevent the same situation from happening again? Plus, many more items they take into consideration when conducting an investigation.
The next area of concern with cell phones are with patients. We have long been a proponent of using privacy screens on computers. Now, even if the screen is across the room, we are pushing our clients to add the screens. Patients now have their phones out while making new appointments, they could potentially take pictures of computer screens across the room and enlarge them. Some of you may be thinking that we worry too much and all this security is driving you crazy. It only takes ONE mistake or ONE complaint to turn your life into a rollercoaster. Prevention is the best medicine!
If you would like more information, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.
When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.
The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.
The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.
On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.
Hindsight is always 2020, as we begin this new year, let’s try to make that a current sight!
By now, those of you who have been using Windows 7 computers and 2008 Servers have been getting notifications that the end of life was coming. Time is here. January 14, 2020, Microsoft no longer will be supporting these operating systems. What this means is they will no longer send out security updates. Each time a security update is issued, it is because someone has found a vulnerability that could be exploited. This is why hackers lay in wait for unsuspecting people to ignore this. Of course, it is doubtful that you will get hit on January 15, but the chance is there and will increase with each passing day. If you are hacked and this causes a data breach, you WILL be fined for using outdated software. At the conference in October, the OCR specifically discussed this.
All 50 states have their own set of privacy laws to protect their residents. In Healthcare we have to adhere to HIPAA, the Federal law, but also must follow state law when it is more stringent. Sometimes, this means flipping back and forth and it becomes very confusing. The good news is that lawmakers are trying to come up with a Federal privacy law to help stop the confusion. Although they haven’t come up with a firm plan yet, they are working on it. This is partly due to the GDPR (General Data Protection Regulation) being enforceable in the United States. Some people view this a cost guzzling law, but we are all consumers and we should have the right to know who is collecting our data, how they are storing our information, and if they are selling our information. Hopefully, our Federal lawmakers will come up with a law that will allow consumers to opt out if we don’t want our information sold. In healthcare, our information may be sold by EHRs and other healthcare companies, when it is de-identified. Medical practitioners are required to obtain a patient’s authorization before they share patient information. Other businesses should be required to do the same and be fined for selling our personal information if we do not permit the disclosure.
To learn more on what is being discussed in legislation , click here:
In June 2018 California passed a consumer privacy law, AB 375, that may be more stringent than the GDPR. The California Consumer Privacy Act (CCPA) went into law January 1, 2020. Although the law isn’t as stringent as the GDPR on timeline notifications, it does have some very tight restrictions that go even further. Any company that have at least $25 million in annual revenue and serves California residents must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data fall under this law. Companies don’t have to be based in California to fall under the law. They don’t even have to be based in the United States.
We believe more states will follow California unless we can agree on a Federal law to help all consumers. Most of us are patients at a medical facility somewhere, and we are ALL consumers everywhere! By enacting a Federal privacy law, this is a good thing, not a bad!
Happy New Year and praying for good things to come!
If you would like more information, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.
A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!
Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.
Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.
Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!
Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.
If you would like more information, contact us at 877.659.2467 or complete the contact us form.
“Simplifying HIPAA through Partnership, Education, and Support”
We are always talking about HIPAA compliance because that is what we do! Sadly many practices think just having a patient sign they received your Notice of Privacy Practices is all that is needed. There is so much more to HIPAA than that! After we go over a client’s risk analysis they realize this and are anxious to get their compliance in place. Then you get busy and it is pushed off to the next week, then the next, and then you realize it never was implemented!
Being HIPAA compliant means MANY things, and I could write about this for hours, but here are some basic reminders:
Work on your Risk Management plan, implement your policies and procedures and mitigate risks. Policies and procedures are necessary so employees understand what is and is not permitted. The enforcement of your sanction policy and being consistent for those employees who violate HIPAA can help you avoid fines and penalties.
Monitor your audit logs. Know who is doing what within your systems. Whether it is an employee or a business associate, you must know who and how users access ePHI. This is critical in preventing or stopping a data breach.
Make sure your HIPAA compliance officer is informed and educated on any security incidents that may occur. This can help them to determine if and when a data breach occurred when they are reviewing the audit logs. The HIPAA compliance officer is required under federal law to report data breaches, large and small. The only difference is timing. Large data breaches must be reported within 60 days (state law could be more stringent) and smaller breaches within 60 days after the end of the year in which the breach occurred.
Check the OIG exclusions list before you hire a new employee which can save you from being required to return payments you received from CMS in the event you hired someone on this list. Also, conducting a thorough criminal background check can prevent you from being stolen from! Conducting and documenting annual HIPAA training as well as when new employees are hired will educate them on patient privacy and data security. Make sure the method of training you choose covers both areas.
Make sure everyone uses their own login credentials and never share their passwords. If someone signs in under another person, then that person that is logged in could be held liability for anything that is done under their credentials! Remember to use strong passwords and change them often. If possible, implement a secondary authentication in addition to using just a username and password. This is extremely helpful in protecting information for business and personal. All online accounts, even email should use a two-step of some type.
Since we work in healthcare we have the ability to look at anyone’s medical record in our system. Keep in mind, you should only look at records that you have a need to do so. This means that if a patient is being seen by another provider or medical staff member and you do not have the need to view the record, you are NOT permitted to do so.
When it comes to technology, many people think if it’s not broke, don’t fix it. This is NOT true! As our systems age, unless they are updated and upgraded, your information may be at risk of a data breach. Firewalls, computers, servers, and software all must be maintained. Firewalls are your first line of defense. Would you put up a fence and never bother to lock it? I have said this many times in the past, in the old wild wild west you could see danger coming towards your town and prepare. The world wide web is the new wild wild west, but the intruders are invisible. You must have several layers of security to secure your data. NOTE: Microsoft Windows 7 will no longer be supported after January 14, 2020. I have always liked this operating system, but now we must prepare for those computers to be updated or replaced.
HIPAA is much more than just these items, but this should help you to remember some important steps!
If you haven’t implemented HIPAA privacy and security policies and procedures, now is a good time to start to ensure your employees understand how to protect your data. If you would like more information, contact us at 877.659.2467 or complete the contact us form.
When we conduct HIPAA training most employees are discouraged when we tell them not to surf the web on work computers. There is a very good reason for this… malicious code can be found on websites that have not been updated and maintained properly. Websites, just like any other technology device you use, must be updated and maintained to avoid being hijacked. Website developers sell templates, this makes it very easy to create a website. When vulnerabilities are discovered in the design of the site or one of the plug-ins, updates are pushed out. It is so important that you have a webmaster that stays on top of this! How would you feel if your website was used to infect your web traffic? Image how embarrassing it would be if your patients got a virus or malware from your website?
That brings us to another very important issue when it comes to healthcare; remote users. Home computers are more likely to be infected, in fact 68% of infections were on consumer computers. Are your employees using their own computers at home to access patient data? Was the RDP set up properly? Are the devices properly maintained by an IT professional? Do employees bring their devices from home into your office? Do your employees use their smartphones to connect to your WiFi? These are all areas that need to be reviewed and addressed to ensure your data is not at risk. This is not about restricting employees computer usage because the employer is being unreasonable. This all about protecting your organization from cyber attacks and protecting patient data.
Well educated employees are your best asset and together with proper security you can protect your organization from a data breach. The average data breach cost is $3.8 million and healthcare being one of highest at $380 per patient record. Keep in mind, if you can’t determine which patient records were breached, they are all considered to be breached and are included in the process. Between the cost of the breach and loss of confidence most organizations do not survive past 1 year after a breach.
Our business partner is nationally known and has mitigated some of the largest data breaches. They work with your IT professional to secure your network BEFORE you suffer a data breach. Let us know if you would like a quote on a network security audit.
To find out more about how our automated HIPAA compliance platform can help your organization click here:
As we start this new year we must reflect what we have learned from 2018 in order to make 2019 a success.
The Office for Civil Rights (OCR) has gained momentum in enforcing HIPAA violations. With that said HIPAA is an ongoing process and once is not enough. It is not considered done unless it is documented. At the annual conference this past year, the OCR admitted they are adamant on ensuring your patient’s information is protected. Therefore, you must document your compliance. If you say you did something, they will ask for your documentation. If you do not have documentation, you will be fined.
Companies located in United States are now required to adhere to the General Data Protection Regulation (GDPR) if they market goods and services to citizens of the European Union (EU). You must ensure the security of the data as well as inform visitors to your website how you intend to use their data. This must be clearly written in your privacy notice on website. This is not to be confused with your Notice of Privacy Practices that you give to your patients. If you plan on marketing to visitors from your website, you must offer them a free opt-out option. We could go on in more detail on this subject, but since many medical clinics do not market to international patients, you may contact us for more information.
Here are a few things to review and update as necessary:
Risk analysis and risk management plan, this is your documentation to demonstrate what risks you have (had) and how you have mitigated them or plan to mitigate them.
Replacing or updating any outdated technology, hardware and software require updates from time to time. You can be fined for utilizing outdated hardware/software that is no longer supported by the manufacturer.
Adding a second authentication process for access to ePHI as well as for online personal accounts.
HIPAA training, ensuring your employees understand how to protect your data is also part of this training.
Making sure you have all of the necessary privacy and security policies, procedures, and forms in place. This means reading and dating them to demonstrate they were actually implemented.
Retaining your documentation for the required time limit, including correspondence with patients that are considered to be part of their medical record.
Reviewing your website, determining if your site collects any data and how it is transmitted and stored.
If you see something in your workplace that looks suspicious, tell your HIPAA Compliance Officer, you could be the one to prevent a data breach or stop a data breach from becoming a major breach (over 500 patient records). Keeping data secure is everyone’s business. Being mindful of our surroundings and educating others helps all of us in this crazy world we live in now!
To find out more about how our automated HIPAA compliance platform can help your organization click here:
What do you know about HIPAA enforcement? Just imagine you were investigated by CMS or the OCR, what would they find? How confident are you in your medical and/or HIPAA documentation? Do you have the appropriate documentation to protect your organization?
The Office for Civil Rights (OCR) is very serious about ensuring your organization is educating employees on patient rights and securing PHI. During a recent investigation in Florida an organization was fined $100K for each year they could not produce documented HIPAA training. The first year they only had 3 employees! They were fined for five years, $500K. Once you are under investigation, they review ALL of your documentation, not just what they originally requested. You do not want to end up being in the willful and wanton neglect category. This is where the big fines are calculated.
If you have a patient complaint or suffer a data breach, the best advice is to document, document, AND document! OH, did I mention… DOCUMENT? Next, cooperation. If they ask for something, give it to them. Nothing more, nothing less, but give them what they ask for. Show the OCR you are trying to do the right thing. After all, how would you like it if the information that was compromised was yours? Wouldn’t you want the organization to do what they could to stop the breach or prevent another one from happening?
Remember the MD Anderson in Texas fines? They had multiple devices lost containing unencrypted ePHI. They claimed that they were not obligated to encrypt its devices, and stated that the ePHI that was involved was for “research,” and thus was not subject to the HIPAA non-disclosure requirements. They challenged the OCR and the Judge ruled in favor of the OCR and MD anderson was ordered to pay $4,348,000 in civil money penalties. The quote from OCR Director Roger Severino: “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations”.
At the NIST/OCR conference in Washington DC, the director along with other members of the OCR staff reminded organizations about enforcement. This is NOT going away. Patient information is extremely valuable to criminals. The days of just a slap on the wrist because you didn’t conduct risk assessment, conduct HIPAA training, or you can’t prove your HIPAA compliance is over. Every organization that has anything to do with patient information must get on board and understand HIPAA. There is NO certificate to prove you are HIPAA compliant, the proof is in your documentation. So I ask one more time… How well do you trust your HIPAA documentation?
To find out more about how our automated HIPAA compliance platform can help your organization click here:
January 15, 2020
