April 30, 2020 If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave. In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media. Some basic rules of thumb to know when facing a situation that might involve the media and patient information are: In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan. Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change. A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.
Are you breaking HIPAA appropriate access laws, and don’t even know it?
April 22, 2020 Giving out protected health information (PHI) to everyone and anyone who inquires? Sure, we know most medical practices are wise enough to understand this would be a severe violation of HIPAA compliance laws. Most healthcare organizations may also know the importance of antivirus for computers, securing offsite data backups and other best practices for HIPAA but one area often overlooked is controlling the staff’s appropriate access to PHI and ePHI. Knowing the ins-and-outs of what is considered ‘appropriate access’ to patient data – i.e., giving only access that is necessary for staff to complete job functions and not carte blanche access to your data – can be confusing. COVID-19 has made several HIPAA regulations even more complex with thousands of healthcare workers across the nation finding themselves transitioning to remote operations with reduced hours or even facing layoffs or furloughs. These operational changes have caused some additional confusion as to when a practice must change or limit employee access to PHI. Adding to the complexity is attempting to ensure all staff are following appropriate guidelines when remotely accessing ePHI. Due to knowledge and time constraints for most independent medical practices, this can be so daunting that it is largely ignored. Access to patient records by staff must be limited to authorized business purposes only, regardless of the setting. Essentially, the only time an employee should view PHI is when it is necessary to effectively perform their job duties or with written permission from a patient. Some of these purposes include: Accessing patient records for reasons other than those necessary to complete job responsibilities is not permitted (ever, COVID-19 or not) and is otherwise considered a violation of patient privacy. It is a requirement under HIPAA to maintain access logs for this very reason – to identify any inappropriate access to PHI. Appropriate access isn’t just a best practice, but a key part of the Privacy Rule under HIPAA and grounds for HIPAA fines if noncompliance is discovered. Recently, more than 50 employees at a hospital in Chicago were fired immediately after it was discovered that they inappropriately accessed and viewed the medical records of an actor who had been treated at the facility. Nearly 80% of healthcare executives say that employee security awareness is amongst their greatest concern – making it even more essential that staff members are properly trained on appropriate access policies. If you’re currently working from your kitchen table in your pajamas (no judgment, us too) you may not be aware of the additional threat you now pose to the security of patient data. Remote work environments, while critical in today’s climate, introduce less secure home networks and fewer safeguards than you might find in your office. It becomes even more essential to mitigate new threats by ensuring your staff knows not only appropriate ways to access data but are only accessing the minimal amount of data necessary to complete their job responsibilities. You can read our recent article for additional tips on how to safeguard data while working remotely here. Unfortunately, in the current economic climate, many healthcare organizations are resorting to furloughing staff. This can add unprecedented challenges for practices trying to control appropriate access to protected health information. Even if an employee will be returning to your practice, there should still be a process in place to limit their access to PHI while furloughed. Removing access can be done by revoking the employee’s login credentials to the practice’s EHR system, recollecting any key or keycard they were given, or other security measures deemed necessary to limit their exposure to sensitive patient data. It’s important to keep in mind that any access removed can be restored when furloughed employees are brought back, but limiting access temporarily will help prevent unauthorized disclosures. Other helpful tips to keep in mind with appropriate access are: Ensuring PHI is accessed only when necessary is essential to protect medical practices and patients. Just as a practice doesn’t share financial information with all staff, sensitive patient data should have similar appropriate restrictions. During this difficult time, it is all the more important to have proper access policies in place and guidelines to guarantee the safety and security of patient data. Whether at home accessing PHI in your PJ’s, or looking to the future when we’re all back in our offices once again, appropriate access is key to essential data privacy.
Prioritize Your Practice’s Disaster Recovery Plan
April 16, 2020 Having a documented disaster recovery plan is incredibly important for healthcare practices to implement in preparation for a data breach, cyber-attack, or a public health emergency like COVID-19. A disaster can be defined as any event that compromises an organization’s operations, data, and network – and due to the current increase in cyber attacks during COVID-19, ensuring your practice is well-prepared for any disaster with a proper contingency plan is all the more important. You know what they say: always plan for the worst, and hope for the best. We’d like to hope your practice never has to put your disaster recovery plan into action, but it’s better to be safe than sorry especially since it’s required by HIPAA law. The HIPAA security rule states that all healthcare practices must have a contingency plan in place to define the responsibilities of all staff members and overall practice procedures to restore IT systems that contain PHI in case of any disruptive event. The requirements within a disaster recovery plan can seem a little daunting, which is part of the reason why it’s essential to have your procedures in place before a disaster happens. Now let’s break down what exactly you need for your contingency plan: When it comes to your practice’s disaster recovery plan, having everything properly documented and planned ahead of time will make all the difference in your ability to restore data and respond to an emergency correctly. If your practice hasn’t created the right disaster recovery plan prior to a threat or event occurring, it’s always a good idea to immediately document and identify how your practice will respond as quickly as possible. Even if you already had a documented disaster recovery plan, when an event does occur it is a great opportunity to revisit your existing plan and adjust any needed areas to be as accurate as possible. Felling a bit overwhelmed? We have some good news for you. Abyde’s comprehensive solution will take the guesswork out of knowing if your practice is prepared. From documenting your risk assessment to generating policies and procedures specific to your practice, to a support team ready to assist you in the event of a disaster, if using Abyde, implementing your practice’s recovery plan won’t be stressful or time-consuming!
Technical Safeguards for Cybersecurity
April 10, 2020 HIPAA has been around for quite a while – since 1996, in fact – and part of HIPAA law has always included required safeguards to secure all aspects of a medical practice’s protected information. With the rapid adoption of technology within the healthcare industry, technical safeguards included in HIPAA law are some of the most important for practices of all sizes to implement. Technology has enabled businesses in the healthcare industry to move operations offsite. In light of the current public health emergency, allowing for access to all essential data without having to step foot into the office is vital to ensuring practices are ready to see patients after the social distancing rules are relaxed. While these advancements simplify and enhance your business operations, they have made a hacker’s job that much easier as well. Technical safeguards are the documented strategies and solutions that practices implement to secure electronic protected health information and control access to it. These include: When it comes to the question of which data actually needs to be safeguarded, the answer is pretty much all of it. Any data that is accessed by, sent to or received from other practices or authorized vendors need to be protected as well as any data that has traceable identification that can be linked to a patient. This sensitive data must be encrypted prior to sending or receiving. Encrypting data may seem like a daunting task, but at a basic level, it just means making PHI unreadable to anyone other than the intended parties. Recent Cyber Threats Tied to COVID-19 While ensuring your practice is prepared for a cyber attack is always important, cyber threats have been headlining the news a lot lately along with the current COVID-19 health emergency. Hackers are taking advantage of this time of increased public vulnerability as well as increased use of technology from unsecured networks while many people are working from home. Read up on common tactics utilized in these threats in our recent article. Over the past few weeks, including just yesterday, multiple government agencies have issued warnings regarding recent threats to cybersecurity. These attacks range from individuals posing as government officials seeking access to PHI to other various phishing and malware distribution schemes utilizing the current concern and fear around COVID-19 as hackers ticket into your sensitive data. Further guidance can be found in the public service announcement released by the FBI and yesterday’s bulletin from the CISA. Hackers aren’t just attempting to play the roles of OCR investigators, or focusing on sending you phishing emails – now your video-teleconferences are at risk too. Video chat apps have become increasingly popular whether it’s for telehealth appointments, office meetings, , or even just virtual happy hours with friends – it’s the best way to stay connected during this time of social distancing. Unfortunately, this added reliance on technology is just another way for scammers to attack. The FBI released additional guidance on defending against Video-teleconferencing (VTC) hijacking and “Zoom-bombing” which refers to attacks directly on the increasingly popular Zoom platform. Some noteworthy tips from this guidance include making sure your virtual meetings are private by requiring a password to gain access. Keeping these meetings private means keeping them off social media or other public-facing platforms so only provide meeting links directly to the individuals you want to be included. These attacks on video chatting software are especially important for medical practices to be aware of as just a few weeks ago the OCR updated their telehealth service regulations allowing doctors to use various communication apps to diagnose and treat patients while maintaining a safe distance. Practicing Good Cyber Hygiene When it comes to cybersecurity, it’s important to know what to look out for, how to report any potential threats, and most importantly how to keep your practice and your patient data safe. Just yesterday, CISA, the United States Department of Homeland Security (DHS), and the United Kingdom National Cyber Security Centre (NCSC) issued a joint release featuring additional guidance on how to spot potential threats. Important tips for safeguarding your practice’s security during this time of increased risk include: There’s a lot of good ‘cyber hygiene’ out there, but here are a few top tips to keep your practice operations clean: If you have questions about technical safeguard requirements, Abyde has a team of HIPAA compliance experts ready and willing to help navigate your practice through these recent changes. If your practice is interested in learning more, sign up for one of our complimentary HIPAA compliance webinars where we’ll discuss HIPAA & COVID-19 from the comfort of your current remote work location.
Business Associates & Relaxed HIPAA Regulations During COVID-19
April 8, 2020 The Office for Civil Rights (OCR) has been very active this past month, going above and beyond to help mitigate the risk COVID-19 poses to public health privacy. Certain HIPAA regulations were updated in March to allow for health care practices to better work with patients in need of healthcare services as well as providing guidance on how to best disclose PHI without risk of a data breach. In their latest announcement, the Office for Civil Rights has extended the same enforcement discretion to Business Associates. When it comes to Business Associates handling PHI, there are obviously strict limitations to follow for the sake of still maintaining patient privacy. As clearly stated in the recent OCR bulletin, business associates are expected to follow the same guidance provided for health care providers when accessing or disclosing PHI during a public health emergency. Previously, these disclosure permissions were only allowed if expressly stated within the Business Associate Agreement with the BA’s covered entity. In light of the current situation, there is a greater need to easily provide public health authorities and emergency operation centers with access to COVID-19 related PHI and this bulletin reinforces the Business Associates’ ability to share that information securely. Violations of certain provisions of the HIPAA Privacy Rule will not be imposed during this time, if and only if: While this notice provides business associates with greater flexibility than some Business Associate Agreements allow for, that doesn’t mean that BAAs no longer matter. It should be noted the relaxation of enforcement does not extend to any other requirements under HIPAA law, and business associates will still be held liable for any violations outside of this circumstance – provided of course a BAA is in place. As a reminder, a Business Associate Agreement allows the covered entity to obtain “satisfactory assurances” that the business associate will “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” This definition, straight from the HHS website, encompasses the need for BA’s to agree in writing to the same standards the covered entity is held to. A BAA must be completed with any vendor or organization the practice sends or receives any piece of PHI from. Without a proper agreement in place, the liability of this security breach will fall on the healthcare provider. Contrary to what most might think, HIPAA really is here to help encourage providing access to and sharing of PHI as long as it is done in the right ways and for the right reasons. OCR Director Roger Severino makes this abundantly clear in his statement following the updated bulletin stating, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.” This latest bulletin is just additional proof that HIPAA compliance is of the utmost importance during the COVID-19 public health emergency. All eyes right now are on data being shared between multiple government agencies like the HHS, CDC and even the White House. With secure and efficient access to real-time data, those organizations will be enabled to make educated decisions on how to best interpret and utilize the sensitive data received and, in turn, secure the well being of the public at large. We find it extremely comforting to know that by following the OCR’s recent HIPAA guidance, providers and business associates alike can play their part in stopping the spread of COVID-19.
Abyde joins forces with Florida Medical Association to deliver HIPAA compliance solutions in a time of need
April 8, 2020 CLEARWATER, FLORIDA – April 7, 2020 – Abyde, a user-friendly HIPAA compliance software solution for independent practices, today announced it has joined Florida Medical Association (FMA) as a preferred vendor to deliver comprehensive HIPAA compliance to FMA members. In light of the evolving COVID-19 outbreak and recent shifts in HIPAA regulations, the need for practices to understand and implement HIPAA compliance practices is now more important than ever. Abyde’s collaboration with Florida Medical Association as a preferred vendor showcases collaborative efforts to help FMA practices meet this need, and to provide FMA members with essential tools to realize HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Joining Florida Medical Association as a preferred vendor is a testament to the value and simplicity providers have found with Abyde, and our joint commitment to helping providers realize HIPAA compliance when they need it most in a turbulent and stressful time,” said Matt DiBlasi, President of Abyde. “We are honored to be a part of Florida Medical Association’s repertoire of comprehensive solutions and to meet a growing need for their providers.” “The Florida Medical Association is pleased to have Abyde as a preferred vendor, and we recognize the value and commitment Abyde has made to our members,” said FMA President, Ronald Giffler, MD, JD, MBA. “We look forward to working together to help our providers continue to excel in their fields.” About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About FMAFounded in 1874, the Florida Medical Association is a professional association dedicated to the service and assistance of Doctors of Medicine and Doctors of Osteopathic Medicine in Florida. The FMA represents more than 25,000 members on issues of legislation and regulatory affairs, medical economics and education, public health, and ethical and legal issues. We advocate for physicians and their patients to promote the public health, ensure the highest standards of medical practice, and to enhance the quality and availability of health care in the Sunshine State. Read the full press release here.
March Recap: HIPAA Was Made for This
April 2, 2020 We know times are a little turbulent right now. Way of life in America looks a lot different at the end of March than it did at the beginning of the month. Most of us are now working from home, cleaning and washing our hands more than ever before and worrying about when stores will finally restock on toilet paper. And like many of us, healthcare professionals across the United States have been following the growing number of COVID-19 cases with great concern. It’s a looming reality that some have even been in contact with patients who have tested positive for the Coronavirus. However, when it comes to sharing sensitive medical information, there are many misconceptions that paint HIPAA laws in such a way that make it appear as if it is an obstacle rather than what HIPAA is intended to promote – which is the allowance of protected health information to be shared securely, efficiently and with the right people. What so many don’t understand is that HIPAA rules and regulations identify the right ways and the wrong ways of making sensitive information accessible – especially in times of crisis. Even during a public health emergency, HIPAA still applies – in fact, HIPAA law has included specific ways where PHI can be shared in a health emergency pretty much since its inception. These regulations include an expanded ability to share PHI with those directly working on the public health threat, but still prohibit disclosures that are not secure such as those to the public at large. A great example of this is the recent news headlines featuring the names of well-known public figures testing positive. These individuals chose to share their diagnosis and spread awareness, but if diagnoses are made public without the required patient consent – like what happened to a Detroit Pistons player whose positive test made headlines before he had a chance to tell his own mother – HIPAA laws have been violated. Media leaks are common, but sensitive health information should be handled with extreme care. HIPAA was built to mitigate public risk during a health emergency while still maintaining the privacy that all individuals deserve. Despite what you may have heard, HIPAA doesn’t make it impossible for you to know whether you’ve been in contact with an infected person – it just regulates the type of information that is shared. With misinformation and public anxiety swirling, read up on our simplified guidance on handling HIPAA during a public health emergency to learn more. The OCR has also released several bulletins serving as both updates and reminders on HIPAA regulations to best meet the current needs of patient privacy. To make things a little easier, here’s a quick summary on recent bulletins regarding COVID-19: With the constant news stories and anxiety around COVID-19, we know it can be tough to keep up with HIPAA on top of everything else. Yet as with any health-related event, HIPAA is key to protecting patients’ privacy and preventing other threats to patient data & security. In short, HIPAA is more important now than ever.