A Patient’s Right of Access is still an issue for many Covered Entities

By Suze Shaffer

February 15, 2020

Many covered entities struggle to understand what is “right of access” for individuals. Under HIPAA and the Omnibus Rule, a patient has the “right” to request a copy of their medical record in the format of their choice (if available). What this means is, a medical provider is not required to purchase special equipment or software to meet these requests. With that said, if a patient requests a CD or DVD of their medical records and you do not have a DVD drive, you would not necessarily be required to purchase one. Keep in mind, DVD drives are only about $25 and it would not be unreasonable for a practice to purchase one. Of course, the ideal situation would be to direct the patient to your EHR portal and download it themselves. However, you can’t require them to do so.

When a patient requests the right to access their PHI (protected health information), be sure to have the patient sign a written request and make note of the date. A provider has 30 days to supply the patient with this information. To extend the time, the covered entity must, within the initial 30 days, inform the individual in writing of the reasons for the delay and the date by which the covered entity will provide access. Keep in mind, only one extension is permitted per access request.

The next area of confusion is the fee limitation. Copying fees for medical records are set by individual states and typically refer to the cost of labor, printing, and delivery of paper or electronic data. The labor fee does not permit the provider to charge for the preparation of the data but labor costs could include skilled technical staff time spent to create and copy the electronic file, such as compiling, extracting, scanning and burning [PHI] to media.

The Flat Fee rate option is not cap, merely an option rather than calculating the actual cost of labor and printing. Many providers are utilizing this method since it is easier than calculating the actual costs.

On January 23, 2020, a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to PHI (protected health information) in an electronic format.” Additionally, the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to a patient’s request for access to their own records, and does not apply to a patient’s request to transmit records to a third party.

https://www.hhs.gov/hipaa/court-order-right-of-access/index.html

If you would like to read the Memorandum Opinion from the United States  District Court in the case  Ciox Health LLC vs Alex Azar:

https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2018cv0040-51

We hope this will help clear up any misconceptions when it comes to a patient’s right to access their medical information.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Patient Data is a Hot Commodity

 

By Aris Medical Solutions

 

Health care organizations are now a primary target since they are the custodians of patient data and a plethora of information. The reason patient information is sought after so much is because it can be sold on the black market for a decent price. Social Security Numbers also have a longer shelf life unlike credit card numbers. Therefore it is imperative that any company or person that is involved with healthcare data do what they can to protect their computers and/or network.

Criminals are diligent in trying to gain access to these valuable databases. They can get into your network through social engineering, malware, and mobile devices to name a few. Sadly, most attacks go undetected for months, sometimes even a year unless it is ransomware when you are “notified” immediately!

Under the Security Rule, all entities that work with Protected Health Information are required to conduct a Risk Analysis to uncover any potential vulnerabilities. Then they must create a Risk Management plan to correct those deficiencies. Although most of the “technical” standards are addressable and not required, this does not mean optional. All covered entities and business associates must have reasonable and appropriate safeguards in place to protect their data. Aside from your normal IT services, we believe it will only be a matter of time before network security audits will become mandatory. Keep in mind your Policies and Procedures are still the backbone of HIPAA Compliance.

So what can you do to protect your data and your organization?

  1. Conduct a security risk analysis
  2. Mitigate the vulnerabilities that are discovered
  3. Request a third party network security audit
  4. Request documentation that your business associates are HIPAA Compliant
  5. Continual EDUCATION!

These are just some of the basics that you should implement. For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

October is National Cyber Security Month

 

By Aris Medical Solutions

magnifying glass laptop scam

This annual campaign is to raise awareness about cyber security. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.

https://www.dhs.gov/national-cyber-security-awareness-month

Did you know… that 2 out of 3 people have experienced a tech scam within the last 12 months?

Did you know… nearly 1 in 10 people have paid money to a scam?

Do not let anyone you do not know gain access to your computer… Scammers call people and either offer them a free scan or tell them there is a new virus out and they are probably infected. These scammers almost always have the sense of urgency and try to pressure you to “Do-it-Now”.
Don’t do it! Most of us are the ones that allow the scammers in. Either by answering the phone or clicking on a link in an email. Social engineering is at an all time high and WE are the ones that are giving OUR money away!

Add security to your login… passwords are the most common authentication tools used today, and they are the easier to hack. Always use a two-step authentication process whenever it is offered. There are many solutions available. Biometrics, security keys, and one time use codes that are text to your cell phone.

Did you know… you can pick up malware by merely visiting a website? Covered Entities and Business Associates have to be especially diligent in keeping their network systems clean and protect patient data. HIPAA Compliance begins with solid HIPAA Policies and Procedures but it also includes Technical Safeguards that are needed.
Here are some suggestions to help keep your network clean and safe:

  • Limit administrative privileges to those who really need it and only sign in as the administrator when needed
  • Limit users to specific work hours and block after hours usage if possible
  • Perform a network security audit at a minimum annually
  • Perform routine physical inventory and ensure unauthorized devices are not connected to your network or computers
  • Keep anti-virus and anti-malware software up to date
  • Web surfing should not be permitted with any device that accesses or stores Protected Health Information (PHI)
  • Change default passwords on all technology devices

This excerpt was taken from the Office for Civil Rights (OCR):

Did you know that your file transfer protocols may be particularly vulnerable to cyber-attacks?
FTP (file transfer protocol) is a standard network protocol used to transfer computer files on a computer network. A type of data storage device, called a network-attached storage (NAS) device, started becoming victim to a serious type of malware which exploited the FTP service available on FTP servers, including FTP services available on NAS devices, beginning this year. NAS devices connect to a computer network and provide a way to access data for a group of persons or entities.

According to a recent report by Softpedia, Sophos, a computer security firm, gathered telemetry data that indicated 70 percent of a certain vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C (also known as PhotMiner). Sophos researchers claim that out of 7,000 of these NAS devices connected to the internet, 5,000 were infected with this malware by cybercriminals who also collected $86,000, in cryptocurrency like bitcoin and monero, from cryptocurrency mining related to this attack.

Allegedly, the malware variant appeared in the beginning of June 2016. A report revealed that the malware was targeting FTP services, such as those available on NAS devices, and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials. Also, the researchers claim that a design flaw regarding the use of public folders on certain NAS devices permitted the Miner-C malware to more easily copy itself to the public folders.

The Mine-C or PhotoMiner (the malware) tricks users by copying files to the public folders that resemble a standard Microsoft folder icon. Once the user clicks on the folder, s/he activates the malware variant, and it installs the malware on the victim’s laptop, desktop, or other computing device. The malware allows cybercriminals to generate cryptocurrency (i.e., bitcoins, monero) by “mining”. Cryptocurrency mining exploits computer processing power to solve difficult math problems. Essentially, attackers are rewarded with cryptocurrency for the amount of math problems they solve.

This type of malware can affect an information system’s performance by eating up a system’s computing power, and slowing down other system processes.
For more information on how Aris Medical Solutions can help your organization call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

OCR clarifies amount that can be charged for copies of PHI

 

By Aris Medical Solutions

 

The Office for Civil Rights (OCR) announced the clarification in the Fact Sheet they released earlier this year. The maximum amount that can be charged for patients that request a copy of their Protected Health Information (PHI) under the right of access is not $6.50. Rather, charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating the actual or average costs for requests for electronic copies of PHI maintained electronically. Entities may choose the fee calculation method that is most appropriate for their circumstances, of course within the boundaries of what is permissible under the Privacy Rule.

The new FAQ may be found at: New Clarification – Up to $6.50 Flat Rate Option. Additional information regarding permissible fees and other aspects of the individual right of access may be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.

“Protecting Organizations through Partnership, Education, and Support”

©2021 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC