May 27, 2020 You can shred it, burn it, use it as a paperweight – we don’t really have a preference – but by all means, it’s time to move on from your out-dated physical HIPAA manual. When trying to comply with HIPAA regulations, it may seem counterintuitive to roast smores using documented privacy policies and procedures, but now is the perfect time to grab your massive HIPAA binder that hasn’t been touched in years and toss it out with yesterday’s newspaper. Technology has paved the way for increased efficiency within medical practices. The days of thumbing through filing cabinets have been relieved by databases providing instant access to everything your practice may need. This transformation provides countless benefits for both practices and patients, just as modernization has benefitted HIPAA regulations. The medical industry, among others, continues to move towards more ‘paperless’ operations – including that bulky, cumbersome HIPAA manual most often left collecting dust in a closet within your practice. Despite these advances, many practices are still relying on a physical binder or other paper-based resource to keep track of their HIPAA compliance policies and procedures. In fact, many may still think that a paper manual is the only way to meet HIPAA requirements. While this would be a valid source of documentation should your practice ever experience a data breach or audit, HIPAA regulations don’t specify the need for a physical or paper copy of your documentation. In fact, there are many benefits to taking your stack of unused papers into the electronic realm. An electronic binder (especially one through a cloud-based software provider) offers a number of benefits, including: There is a lot that comes with maintaining HIPAA compliance – and the biggest hurdle many practices face is having the proper documentation of this culture of compliance. If your practice has put in the hard work to complete your risk analysis, documenting that work properly and in an accessible format is essential. In fact, 83% of practices that were audited by the OCR in 2019 did not have a properly documented security risk analysis. This is in part due to outdated paper policies that don’t fit the practice’s current structure or procedures. An electronic and continually updated HIPAA ‘binder’, in contrast, fulfills all HIPAA regulations and requirements around documentation. COVID-19 has had a large impact on HIPAA enforcement and regulations, and many practices have begun utilizing telehealth services as well as implemented new policies and procedures surrounding cybersecurity during newly remote operations. All of these changes and updates to your practice’s work with PHI, even if it’s just temporary, must be documented properly within your HIPAA manual. Having an electronic version of your manual means going in and updating with a few clicks of a button – saving your practice time (and paper) during an already turbulent time. If your practice has always had a paper HIPAA binder, moving to an electronic manual that offers all of the above features may be easier said than done. That’s where a HIPAA compliance software solution, like Abyde, comes in to ensure your HIPAA program is up-to-date with any new changes regarding HIPAA or state-specific laws with dynamically generated policies and procedures built specifically for your practice – providing you much more than just an updated version of your HIPAA manual. If your practice has been stuck on paper, let us show you how going electronic can save you hours of HIPAA headaches.
What the CISA Wants You to Watch For
May 21, 2020 Cyber threats in general but especially those affecting healthcare organizations have been a hot topic of discussion over the past few months. Recently, the Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), and the Office for Civil Rights provided guidance on the most common technical vulnerabilities that have been exploited during 2020 and in particular during COVID-19. We know you’ve had a lot of information thrown your way lately, so to keep your practice up to speed and help you stay ahead of new vulnerabilities, here’s a brief overview of the bulletin’s highlights: As organizations begin to go back to work, it’s important to know that much like COVID-19 itself these cyber threats won’t just go away. Properly educating your employees on good cyber hygiene, doing routine checks and updates on security safeguards, and continuing to be on the lookout for any potential threats are vital in keeping your practice protected. Certain things your practice should be implementing right away are: For more information on the government’s guidance along with the mitigations provided to assist in ensuring the security of your practice view the full bulletin here.
We Know You Want to Get Back to the Office – Here’s How
May 14, 2020 Is working in your living room with your pets/kids/significant other driving you crazy yet? Us too – but here’s why a measured approach is important to returning back to the office 2020 has been anything but predictable and it’s hard to speculate exactly how life after COVID-19 is going to be – or how soon we’ll get to the point we can call ‘after’. Some healthcare practices along with other businesses have started reopening their doors but with how much has changed over the course of the past few months, it’s easy to find yourself wondering which way is up when it comes to easing back into life outside of the bubble we’ve been living in. As many organizations transition back from working at the kitchen table in pajamas, the question of “is it safe to bring employees back into the office” is not taken lightly. Practicing social distancing, wearing protective face masks, and self-isolating, if you have any potential symptoms, are all preventative measures that we should anticipate continuing for the foreseeable future. If your practice is considering bringing employees back into an office environment to continue offering medical services, here’s are a few things to consider: 1. Limit Employee Risk in Returning to Work Healthcare personnel, whether they have been on the front lines during the pandemic or not, have been and will continue to be at risk for contracting or spreading the virus. The CDC issued several strategies on how healthcare providers can determine whether their staff members can safely return to work or not based on monitoring for symptoms over the recommended course of time along with COVID-19 tests. Some businesses have discussed screening employees for the virus prior to returning to work to ultimately ensure a safer work environment, yet this concept must still take into consideration HIPAA privacy laws regarding testing results being released to businesses. In fact, the HIPAA Privacy Rule does allow for healthcare providers to disclose patient information to employers only if the patient gives written consent authorizing the release or if the testing falls under HIPAA’s workplace medical surveillance exception. If the employer pays for the testing they are eligible to receive information regarding when the testing occurred but, importantly, not the results of the test. Whether you decide to engage in testing or not, make sure that any PHI generated as a result of testing still follows HIPAA guidelines for privacy and security. 2. Prepare for Limited Waivers to Expire HIPAA has been a headlining topic throughout the pandemic as the CDC has been constantly updating regulations and enforcement discretions to best mitigate health risks to the public. Good faith provisions for disclosing PHI as well as limited waivers for telehealth usage were among the top changes to HIPAA, but as highly emphasized in each waiver, these discretions only remain in place for the duration of the public health emergency. It’s important for healthcare providers to continue to keep HIPAA compliance a priority especially as waivers begin to lift and to be fully prepared to return to normal enforcement. If your practice has been using telehealth to continue seeing patients, for example, and you might continue to use telehealth even after a return to ‘normal’ operations, it’s essential that you utilize a vendor who offers HIPAA compliant video communication services to do so, and that you get a proper Business Associate Agreement signed with your vendor. 3. Ensure Remote Data Collection is HIPAA-Compliant You are probably already aware that PHI cannot be sent simply in an email. As many practices have sought new ways to manage remote operations and limit physical interaction, the same encryption and security standards must be applied as your practice would use to send PHI even before COVID-19. If your practice is considering collecting more patient information or insurance information electronically instead of a physical form or insurance card, make sure you are utilizing a secure system like a patient portal or encrypted email server to transfer any sensitive data. 4. Consider Reviewing Passwords and Security Processes Over the course of the pandemic, cyber-attacks have been a looming threat, especially to healthcare practices. While working from home played a large role in enabling hackers to access protected information through less-secure networks, it’s important to not lose sight of these concerns even when you go back to your office. Continuing to look out for common scams and knowing how to identify and respond to a potential threat will always be important to ensuring the security of your practice. Consider changing passwords or login information after returning to the office that may have been compromised during remote work, and update your security software to the best possible protection. Review the devices used for remote work to determine if any further action is needed to ensure proper security if still working in part remotely. With everything that 2020 has thrown our way – being confident and prepared in your ability to get your practice back up and running in a safe and HIPAA compliant manner will make all of the difference in the transition – and help make the rest of the year a little less stressful than the start.
Who Qualifies as a Business Associate?
May 8, 2020 As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information. As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include: Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including: Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI. Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders. Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.