Did you know that you could be fined based on the practices of your HIPAA business associates?
Any business associates who receives your patient’s Protected Health Information (PHI) is subject to all Health Insurance Portability and Accountability Act (HIPAA) regulations. Your billing service, telephone answering service, accounting firm and collection agency, to name a few, all must be HIPAA compliant.
This significant expansion of HIPAA is the result of the Health Information Technology for Economic and Clinical Health (HITECH) Act passed by the United States Congress in February 2009. The HITECH Act Security Rule requires reasonable assurance of the confidentiality, integrity and availability of Electronic Protected Health Information (ePHI) in three key elements:
- Administrative Safeguards — security management process, security personnel, information access management, workforce training and management and evaluation.
- Physical Safeguards — facility access and control, workstation and device security.
- Technical Safeguards — access control, audit controls, integrity control and transmission security.
Failure to comply with the HITECH and HIPAA regulations can cause severe financial penalties reaching up to $1.5 million for you and your practice.
Click here to read about recent case studies and penalties.
If your office becomes aware of a HIPAA breach made by your business associate, you are required to take reasonable steps in correcting the violation. In the event that such steps are unsuccessful, then you must terminate your business associate agreement.
To avoid terminating contracts or securing other business associates, we highly recommend surveying your business associates’ HIPAA compliance processes. Here are few examples of questions to ask:
- What are your policies and procedures protecting against the use or disclosure of PHI?
- Has your staff received training from a HIPAA professional?
- Are all vendors associated with your business associates HIPAA compliant?
- Do you have all of the necessary resources to remain HIPAA compliant?
As a telephone answering service serving hundreds of medical clients in many different states, we have developed strategies and skills which allow us to comply with HIPAA and to expertly serve our diverse clientele. Our commitment to training and education to better serve our clients has produced our Certified Medical Operator Program, a multitude of HIPAA related resources and offering easy-to-use, HIPAA complaint apps. Our hope is that you and your office can adopt some of these tools to make your life a bit less complicated and allow you a more uninterrupted leisure time.
Why Preform a HIPAA Privacy Risk Assessment?
The best answer to this question may be obvious…but it’s the law! Aside from that, there are several good reasons to performing a HIPAA Privacy Risk Assessment in your oﬃce. A risk assessment can help you to identify where your Protected Health Information (PHI) lies in your organization. From equipment to ﬁles, there is PHI being stored everywhere….so, protect yourself. Here are three good case studies from our blog that are perfect examples of why you must perform a risk assessment:
PHI for Personal Gain
A licensed practical nurse (LPN) pled guilty to wrongfully disclosing a patient’s health information for personal gain. The woman faces a maximum of ten (10) years imprisonment, a $250,000 fine or both. Having shared the patient’s information with her husband, the husband contacted the patient and told the patient that he was going to use the information against him in an upcoming legal proceeding.
Continue reading to find out more and how it affects you ®
Employees & Facebook
A temporary employee at a California hospital posted a picture of someone’s medical record to his Facebook page and made fun of the patient’s condition. Details of the health data breach indicate that the temporary employee, who was provided by a staffing agency, shared a photo on his Facebook page of a medical record displaying a patient’s full name and date of admission.
Continue reading to find out more and techniques on how to prevent a breach ®
Fined $100K for Calendar
A five-physician practice became the first small practice to enter into a resolution agreement that included a civil money penalty over charges that it violated the HIPAA Privacy and Security Rules. A complaint was filed alleging that the practice was posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible.
Continue reading to find out more and find out if you are at risk ®
Don’t let your oﬃce be another case study. Talk to our experts at Dexcomm to discuss additional privacy safeguards to help protect against a breach or our HIPAA Remediation Services.
For more information on HIPAA Risks:
Emergency Preparedness, HIPAA and Medical Records
Generally speaking, government legislation allows permissible disclosures that covered entities must make to respond to patients during times of crisis. For example, did you know that health plans and health care providers may disclose prescription information and other health information to other health care providers at shelters to facilitate the treatment of evacuees?
The use of Business Associate Agreements as a part of your Emergency Preparedness Plan is also strongly encouraged. Click here for guidelines and a sample version of an agreement.
Providers and health plans covered by the Privacy Rule can share patient information in the following ways:
TREATMENT – Health care providers can share patient information as necessary to provide treatment.
NOTIFICATION – Health care providers can share patient information as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.
- The health care provider should get verbal permission from individuals, when possible; but, if the individual is incapacitated or not available, providers may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
- Thus, when necessary, the hospital may notify the police, the press, or the public at large to the extent necessary to help locate, identify or otherwise notify family members and others as to the location and general condition of their loved ones.
In addition, when a health care provider is sharing information with disaster relief organizations, like the American Red Cross, that are authorized by law or by their charters to assist in disaster relief efforts, it is unnecessary to obtain a patient’s permission to share the information if doing so would interfere with the organization’s ability to respond to the emergency.
IMMINENT DANGER – Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public — consistent with applicable law and the provider’s standards of ethical conduct.
FACILITY DIRECTORY – Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition. Of course, the Privacy Rule does not apply to disclosures if they are not made by entities covered by the Privacy Rule. Thus, for instance, the Privacy Rule does not restrict the American Red Cross from sharing patient information.
For more emergency preparedness tips and techniques, click on the resources below.
U.S. Department of Health & Human Services. (n.d.). Disclosures for Emergency Preparedness – A Decision Tool. Retrieved November 12, 2012, from U.S. Department of Health & Human Services: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/decisiontoolintro.html
As scary as it might seem, your medical practice may encounter a privacy violation. So, what do you do if you discover a HIPAA breach? Our Dexcomm Experts have put together what to do if you discover a HIPAA breach.
01 Gather Information
Ask who, what, when, where, how. Who was it disclosed to, how was it disclosed, when was it disclosed, etc.
Click here for Dexcomm’s Accounting for Disclosures Form
02 Make Contact
Relevant parties may include patients, employees, authorities, media and the Secretary of HHS
Click here for Dexcomm’s HIPAA Breach Who & When to Contact Guide
03 Define Resolution
In cases where breaches happen, the medical office must communicate steps to prevent them from happening again. The HIPAA Security Rule also requires that you communicate this information to the relevant parties.
Document each step you took to resolve the HIPAA breach.
Click here for Dexcomm’s Documentation Form
For more information on HIPAA threats and breaches click on the eBook or @sk the Expert!
With the use of mobile devices on the rise, security is a hot topic in the HIPAA world these days. Recent fines of $1.5 million were imposed on a Massachusetts’s infirmary and another $1.7 million on an Alaska-based medical facility for failing to protect PHI on unencrypted laptops/storage devices. It is imperative that medical practices face-the-fact that having a mobile risk management strategy to protect themselves is vital. A mobile risk management strategy is defined as a set of guidelines that help businesses determine the risks that come with using mobile devices and provides steps to lessen the likelihood of breach occurrence.
These cases prove that even relatively small HIPAA breaches can lead to big fines. But less than half of IT executives have a formal mobile device management strategy in place. Bob Violino with Computerworld says that it is not only important for small medical practices to have mobile device management strategies in place but also for associated vendors as well. He says that technology plays a huge role in helping IT departments manage devices and maintain security. Organizations rely heavily on systems such as BlackBerry® Enterprise Server, Microsoft Exchange Server and mobile device management technology from AirWatch to safeguard mobile devices such as Apple® iPads and iPhones, Android™ smartphones and RIM BlackBerries. In addition to deploying security technologies, companies are developing policies on appropriate use of mobile devices. Click here to read the full story.
To avoid an incident at your own organization, continuously monitor safeguarding policies and procedures, train employees, update equipment and keep up on current government rules and regulations. Our Experts at Dexcomm suggest:
Don’t let your small medical practice be a headline. Click here to read Dexcomm’s full eBook on HIPAA and Mobile Devices.
The Office of the National Coordinator for Health Information Technology’s Office of the Chief Privacy Officer has released its first web-based security training module, CyberSecure: Your Medical Practice.
Finally, a fun approach on training your medical staff on HIPAA! The gamification program, developed by ONC, uses a format that requires users to answer gaming questions based on privacy and security challenges that take place in typical small medical practices. Users have the opportunity to respond, earning points for correct answers and facing penalties for incorrect answers.
Protect your medical practice by making HIPAA training fun for you and your staff by providing HIPAA gamification as the solution.
Click here to start the game.Then, let us know what your score was!
The two final rules for HITECH Stage 2, Electronic Health Record Incentive Program, which address encryption and other privacy and security issues, were released on the Federal Register Electronic Public Inspection Desk recently. The two rules for Stage 2 HITECH ePHI Incentive Program that eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) must meet in order to qualify for Medicare and/or Medicaid electronic health record (EHR) incentive payments are:
1. Meaningful EHR User – participants must address encryption/data security while preforming a risk analysis.
Our Dexcomm Experts have developed a complimentary eBook to help you navigate risk analysis and recovery HIPAA Threats and Breaches, click here to find out more.
2. Software Certification Rule – requires that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.
Hospitals and physicians must use electronic medical records to qualify for a second round of Medicare incentives (payments), beginning in 2014. If the medical practice wants to participate in Stage 2 of the HITECH Act incentive program, the software that the medical practice uses must pass Stage 2 software certification. The only action a small medical practice can take is to request from their software vendor that the EHR software meets the certification rule. Or switch software packages. Click here to read the full story.
Dexcomm Gets HIPAA, Get It From Us!
HIPAA Case Study
A recent appellate court ruling in Florida may be the first to pave the way for a U.S. class action lawsuit involving health information data breaches to move forward to trial. This case involves the theft of unencrypted laptops from an insurance company’s corporate offices which contained data on 1.2 million health plan members.
If this case is certified by court as a class action and is not settled before going to trial, it could be the first U.S. class action health data breach suit that goes to trial. The suit is based on the fact that not only is the victims’ protected health information now unsecure but they are extremely vulnerable to identity theft. If this case is certified by the courts as a class action lawsuit, any unencrypted data may end up costing more than anyone ever anticipated. But who really pays the costs? The insurance company faces huge fines and legal fees but what secondary costs will small medical practices and consumers face? This case proves again that trust is out the window, encrypt your data or else you could be the next headline.
Our experts at Dexcomm have developed resources to help protect you:
Prevent your Mobile Devices from causing a HIPAA Violation
What does HIPAA consider to be a mobile device?
HIPAA Threats & Breaches
Click here to read the full story from Data Breach Today or Healthcare Info.
In this case study, our HIPAA Experts review threats and breahes. In May of 2012, a HIPAA covered entity notified the California Department of Social Services (CDSS) that personal information for more than 700,000 homecare providers and recipients was lost in the mail. The entity, which handles the payroll data for workers in California’s In-Home Supportive Services program, shipped information including Social Security numbers to another office which arrived damaged and incomplete.
“It’s hard for us to believe that in one of the largest states in the union, we’re using such an antiquated system,” said Steve Mehlman, a spokesperson for a labor union representing homecare workers. “It clearly needs to be modified.”
The packages mailed on April 26th and it arrived at the Riverside Office on May 1st. The state was notified a week later, according to a post on a state website.
In September 2009, the Health and Human Services’ Office for Civil Rights (OCR) began tracking healthcare information breaches affecting 500 or more individuals. Since this time, 489 breaches affecting 21 million individuals have been recorded. OCR began tracking breaches in 2009 as part of the HITECH Act-mandated HIPAA breach notification rule. Federal officials have said that a final version of the breach notification rule will be issued by the end of the year as part of an omnibus package of regulations that will include HIPAA modifications.
One of the most recent and largest breaches added to the OCR tally occurred at a multiunit healthcare facility in Mississippi. A statement released by the system’s representative and posted on their website indicates that they are committed to maintaining the privacy and confidentiality of their patients’ information at all times. During a review of their patient information system conducted in April of 2012, they became aware of a possible breach. Using a web portal, an employee of an affiliated physician’s office may have been accessing patient information that was intended for physicians’ eyes only.
This facility is one of the many healthcare providers auditing records access to clamp down on unauthorized usage. According to their HIPAA privacy/security officer, this hospital has reduced incidents of inappropriate access from 50 per month to fewer than one or two incidents every couple of months. The access monitoring system that the hospital uses is provided by FairWarning, a privacy breach detection service for healthcare providers. It provides alerts and daily reports on incidents of inappropriate access and allows the hospital to audit user activity simultaneously across all audit sources.
“Automated reporting alerts you to potential inappropriate activity within hours of occurrence, versus days, weeks, or months after occurrence,” the HIPAA privacy/security officer says. “This is vital for detecting possible breaches quickly, so subsequent investigations can be launched in a timelier manner.”
The constant modifications in HIPAA regulations and monitoring by OCR have made it vital for healthcare professionals to secure electronic protected health information (EPHI). The first step in safeguarding EPHI is to perform a risk analysis to determine the level of risk. In addition to providing training to employees and changing passwords routinely to prevent unauthorized access, healthcare professionals should also consider using an access monitoring system such as Fairwarning. Healthcare organizations should also ensure that affiliations and IT vendors are HIPAA compliant.
Our Dexcomm Experts have put together resources to assist you with HIPAA compliance
HIPAA & Your Business Associates
HIPAA Threats & Breaches
Dexcomm Gets HIPAA
For more on the case study