June 18, 2020 We get it, the struggle is real. The moans and groans with HIPAA always seem to get louder when medical practices are faced with figuring out to whom and how sensitive data can be shared. Contrary to what many believe, HIPAA is all about properly sharing protected health information (PHI) – not preventing it entirely. Sometimes, lacking confidence that internal policies are in alignment with best practices on sharing PHI securely can cause a practice to hesitate to (or altogether not) send PHI to other parties requesting it, including other providers. Unfortunately, not acting in a timely manner and failing to comply with the request to share PHI with another provider can be a costly one. Proper disclosure of PHI is highly regulated under HIPAA when it comes to sharing or receiving patient records from another practice, and there are consequences to both sharing too much information – or not enough. First, the HIPAA Privacy Rule does in fact permit a health care provider to share patient information for treatment and healthcare operation purposes without needing written patient authorization as long as the reasonable safeguards to protect the information are used. To clarify what the U.S. Department of Health and Human Services (HHS) considers as treatment and operation purposes, “Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” Some key notes on sharing PHI between providers: Additionally, if a patient is the one requesting their records to be sent to another provider: It’s time for providers to change their perspective on HIPAA – which is widely considered a restrictive set of laws and regulations. HIPAA is meant to be a guideline on how to securely and efficiently share sensitive and valuable data. Not a barrier or inhibitor as so many see it now. Being able to do so will have positive effects on the healthcare industry as a whole and improve patient care for years and years. Don’t let the unknowns of HIPAA keep data from those who have lawful access to them such as other providers or patients. If so, it is just as much of a HIPAA violation as sharing sensitive data with the wrong people.
Abyde joins Crystal Practice Management to expand HIPAA compliance among users
June 17, 2020 June 17, 2020, Tampa, FL – Abyde has announced a new partnership with Crystal Practice Management, an EHR and billing platform for optometrists, delivering Abyde’s Industry-leading HIPAA compliance software solution to Crystal Practice Management users. This partnership will provide Crystal Practice Management (PM) users with the tools necessary to implement a complete HIPAA compliance program, fulfilling essential, government-mandated HIPAA compliance requirements while streamlining providers’ time and resources spent on HIPAA. Abyde’s collaboration with Crystal PM showcases their mission to revolutionize HIPAA compliance by providing a simple, user-friendly solution that fits perfectly with eye care providers’ day to day operations. “We know that HIPAA compliance is a common gap among providers, and we’re thrilled to help Crystal PM users remove the stressors of trying to comply with complex HIPAA requirements,” said Matt DiBlasi, President of Abyde. “HIPAA compliance is essential for a practice’s success, especially now, and we are honored to be a part of Crystal PM’s offerings.” Abyde’s software solution is the easiest way for any sized eye care practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies, and more. “Crystal Practice Management continues to focus on helping our providers save time and resources while getting the best solutions possible, and the Abyde program fits squarely into that goal,” said John Knaus, CEO of Crystal Practice Management, “We are thrilled to partner with an organization and solution that will provide instant value to our users.” About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Crystal PMCrystal Practice Management is the ideal solution for a paperless office with more than 15 years of experience and thousands of satisfied clients. Crystal PM provides offices with the most complete and customizable health records on the market, secure electronic claims for almost all insurance carriers, an exhaustive billing component, and a multi-doctor scheduling program. With both cloud and on-premise delivery options, Crystal Practice Management has multiple pricing options, but all options include at least one year of toll-free phone support and automatic software updates. For more information, visit www.crystalpm.com. Read the full press release here.
Abyde and FDA Services join forces to deliver leading HIPAA compliance solutions for Florida Dental Association members
June 9, 2020 June 9, 2020, Tampa, FL –Abyde, an industry leading HIPAA compliance software solution for dental practices, announced a new partnership with FDA Services to deliver a complete and quality HIPAA compliance program to FDA members. Abyde’s collaboration with FDA Services as a preferred vendor showcases collaborative efforts to provide FDA members with government mandated and essential HIPAA compliance programs. The partnership will help FDA practices meet government mandated HIPAA needs, and better protect their practice and patient’s health information by identifying and correcting key security safeguards. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Together with FDA Services, we are eager to show the value and simplicity providers have found with Abyde to even more of FDA’s members,” said Matt DiBlasi, President of Abyde. “During today’s challenging times and beyond, HIPAA compliance is essential for a practice’s success and we are honored to be a part of FDA Services’ platform.” “The Florida Dental Association is proud to offer our members only the best products and services, and we’re thrilled to be adding Abyde into the mix of quality and comprehensive solutions. We know our members will find great value in the peace of mind and simplicity Abyde offers while meeting a real requirement and need for dental practices,” said Scott Ruthstrom, Chief Operating Officer of FDA Services. “We look forward to providing industry leading education and services to FDA members.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About FDA Services FDA Services is the wholly owned, for-profit company of the Florida Dental Association. FDA Services researches and vet business solutions so FDA members can take advantage of exclusive deals, discounts, and services on programs that are important to run an efficient dental practice. For more information on FDA Services visit fdaservices.com/crown-savings. Read the full press release here.
State Laws vs HIPAA – What You Need to Know
June 8, 2020 When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones. It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include: In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other: Source: healthinfolaw.org As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up. We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you! While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!
So, What Exactly is a Security Risk Analysis?
June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice. The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should: Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on. What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.