Do you know what it means to be HIPAA compliant?

Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.

https://www.ftc.gov/news-events/press-releases/2021/02/ftc-gives-final-approval-settlement-emergency-travel-services

https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_order.pdf

HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.

It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.

If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:

(1) mitigate fines under section 1176 of the Social

        Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit

        under section 13411; and

(3) mitigate the remedies that would otherwise be agreed

        to in any agreement with respect to resolving potential

        violations of the HIPAA Security rule (part 160 of title 45 Code

        of Federal Regulations and subparts A and C of part 164 of such

        title) between the covered entity or business associate and the

        Department of Health and Human Services.

Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.

Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.

This healthcare cybersecurity handout was created by the DHHS:

https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

If you need assistance in navigating the maze of HIPAA, complete the contact us form at https://arismedicalsolutions.com/contact/ or call 877.659.2467 and schedule a demo of Aris’ automated HIPAA compliance platform. Documentation has never been easier, and with our customer service, you will know what is required and how to handle situations that arise.

 

“Simplifying HIPAA through Automation, Education, and Support”

©2022 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC