July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19. As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.
Abyde HIPAA Compliance Software Provider Launches Revolutionary Partnership with New England College of Optometry
July 29, 2020 July 29, 2020, Tampa, FL –Abyde, an industry-leading, user-friendly HIPAA compliance software solution, today announced it has partnered with the New England College of Optometry (NECO) to provide HIPAA Compliance training for NECO students and faculty. This first of its kind partnership has paved the way for streamlining and enhancing HIPAA education provided for NECO students, in addition to preparing future Doctors of Optometry to better understand HIPAA-compliance after graduation. Abyde, already known for revolutionizing HIPAA compliance, has taken new steps with their NECO partnership to create and curate HIPAA content specifically for promising future doctors. In addition to student-specific content, Abyde has now bridged the gap between clinical training and professional practice to highlight how HIPAA plays an important daily role for a covered entity. Through this new partnership, NECO has proven their commitment to HIPAA compliance in addition to a continuing, revolutionary approach to enhanced and engaging educational content that best prepares their students for success after graduation. As part of their collaboration, Abyde offers exclusive discounts to NECO alumni as they graduate and join the eye care workforce. “Abyde has enabled NECO to use the same HIPAA training platform for clinical faculty, staff, and student interns. This allows for continuity and consistency as we see patients across the NECO Clinical Network and send students out for their clinical rotations. Managing and tracking so many people at once would have been difficult, but now Abyde has customized our experience into a seamless process. They have been extremely responsive and supportive throughout the setup process.” Amy Moy, OD, FAAO, Chief Compliance Officer. “This opportunity and exciting new type of collaboration has allowed Abyde to expand its impact on the healthcare community by partnering with such a prestigious institution that is the New England College of Optometry,” added Matt DiBlasi, President of Abyde. “We are continually challenging ourselves to go further, and we are delighted to play a part in NECO’s students graduating and launching successful, HIPAA-compliant practices of their own.” Used by thousands of providers across the nation, Abyde is a complete HIPAA program covering the required Security Risk Analysis, HIPAA training for doctors and staff, Business Associate Agreements, customized practice-specific policies, and more. About New England College of OptometryNew England College of Optometry is an independent graduate college of optometry that educates students for careers in eye care delivery, research, and education. Founded in 1894, NECO is the oldest continuously operating school of optometry in the country and was the first to create an expansive clinical training network. We challenge students to think creatively about vision and sight and to contribute to the future of the field. In doing so, we provide quality optometric care to more than 150,000 individuals annually and serve the community through a network of healthcare organizations and access to vision screenings. www.neco.edu About AbydeAbyde (Tampa, FL) is a software company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com or call (800) 594-0883. Read the full press release here.
OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19
July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans. Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs. Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including: Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality. Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.
Requirements for HIPAA Training
July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice. 58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained? All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.” Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training? HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained? While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice. How long must each training be? There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees.
My EHR system makes me HIPAA compliant, right?
July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends? A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as: While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation.
Abyde’s Industry Leading HIPAA Compliance Software Now Part of MSV Business Affiliate Program
July 15, 2020 July 15, 2020, Tampa, FL – Abyde, offering a best-in-class HIPAA compliance software solution for medical practices, has joined the Medical Society of Virginia’s (MSV) Business Affiliate Program. Abyde offers MSV members protection from HIPAA compliance pitfalls through a user-friendly, complete HIPAA compliance program. This new partnership comes at a perfect time to help Virginia physicians overcome changes to HIPAA in 2020. The MSV Business Affiliate Program is designed to engage with companies that can offer exclusive rates, superior service, and competitive solutions to its membership of over 9,000 physicians, residents, medical students, and physician assistants. Dustin Beekman, Director of Business Development for MSV recognizes the value in this relationship. “We are very excited that Abyde has joined our Business Affiliate Program,” he said. “The opportunity this provides our members is the reason we started this program and an important part of our decisions to work with Abyde as an industry leader in HIPAA compliance.” “We are thrilled to work with a partner like MSV, especially during a time when it’s essential that we come together to help physicians across Virginia succeed,” said Matt DiBlasi, President of Abyde. “The passion behind MSV’s commitment to physician prosperity is evident, and we are honored to be a part of helping Virginia physicians meet HIPAA requirements even during a turbulent and changing climate like today’s.” The MSV Business Affiliate Program launched in January 2019 and was created to provide opportunities to both the MSV membership and Business Affiliates. Through this unique relationship, MSV will continue to be able to provide dynamic and comprehensive benefits to its membership. About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About MSV The Medical Society of Virginia (MSV) serves as the voice for more than 30,000 physicians, residents, medical students, physician assistants, and physician assistant students, representing all medical specialties in all regions of the Commonwealth. The association was founded in 1820 and is headquartered in Richmond, Virginia. MSV strives to advance high-quality health care and make Virginia the best place to receive care and practice medicine. Read the full press release here.
HIPAA Compliant Digital Marketing for Healthcare Practices
July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing. Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice: Email Marketing If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation: Social Media Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines: Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.
Is Your Telehealth Solution HIPAA Compliant?
July 2, 2020 Ever thought you’d be saying “What’s up Doc?” on a video chat from home? Telehealth has made remote visits a new reality – though not all telehealth providers have been created equal when it comes to being HIPAA compliant. Why is it important for telehealth to be compliant? 90% of healthcare executives have already or are planning to adopt telehealth services within their operations, and as remote patient care continues to explode in popularity so do the risks to compromising that patient information. Part of telehealth’s current popularity is due to COVID-19. To best meet the urgency brought on by COVID-19, the Office for Civil Rights (OCR) provided an update to the provision of telehealth services allowing providers to use any form of non-public facing video communications with patients, even if they weren’t considered ‘HIPAA compliant.’ While this enforcement discretion is only temporary, we can predict that the general public will prefer to keep their distance and avoid face-to-face doctor visits if possible for the foreseeable future. In fact, a recent study found that 74% of Americans would be comfortable and willing to use telehealth services for their doctors appointments. While COVID-19 has made a major impact on telehealth services, the ability to provide care remotely has been growing in popularity for several years. The value of telehealth goes beyond allowing for social distancing between patients and providers, including: With all the benefits presented in utilizing telehealth services, there are also additional risks to be aware of. The following are some key recommendations for implementing telehealth in the most secure way possible: The explosion of telehealth providers to meet the new demand after COVID-19 has seen some great – and some not so great – products within the telehealth market. If you are looking into adding a telehealth solution, be sure it is one that has proper safeguards and programming to prevent and contain possible cyber threats. An unsecured telehealth provider could make your patient data vulnerable – such as chatbot and telehealth startup Babylon Health, whose users found dozens of videos of other patients’ appointment consultations in their app due to a software glitch. While the issue was quickly corrected, implementing a non-compliant telehealth app creates a high risk for potentially compromising patient data. As the healthcare industry continues to implement technology solutions, it’s important to ensure that sensitive patient information remains safeguarded from additional risks that technology presents. Utilizing HIPAA compliant providers for telehealth and having the proper Business Associate Agreements in place are key to providing the most effective and protective services for your patients.
Abyde partners with Acquios Alliance to deliver HIPAA compliance solutions to private practice optometrists
July 1, 2020 July 1, 2020, Tampa, FL – Abyde, an intuitive and industry leading HIPAA compliance software solution for private practices, today announced it has joined Acquios Alliance’s network of top vendors to deliver exceptional HIPAA compliance solutions to their members. Abyde’s collaboration with Acquios Alliance helps alleviate the unique challenges private practice optometrists encounter by providing them with state of the art HIPAA compliance programs designed to reduce the time, resources and stress that accompanies a complete HIPAA program. Abyde’s software solution is the easiest way for any sized eye care practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “As part of Acquios Alliance’s selective network Abyde is now poised to deliver exceptional HIPAA services designed specifically for the needs of an independent optometrist – which is a unique challenge,” said Matt DiBlasi, President of Abyde. “This partnership will allow us to provide the same comprehensive HIPAA solutions we are known for to a growing group of eye care providers.” “Acquios Alliance works to deliver solutions that connect our members to industry leaders, and our partnership with Abyde will help to fill needed gaps in practice’s HIPAA compliance programs,” said Rick Guinotte, CEO of Acquios Alliance. “Abyde’s HIPAA compliance solution is the best choice for our members, and we are proud to work together to help our optometrists continue to excel.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Acquios Alliance “Acquios Alliance is a membership program aimed at mitigating the unique challenges private practice optometrists face to help them thrive, independently. We partner with top vendors across the country in order to connect our members with the premium services they seek. Each of our vendor partners has a commitment to empowering the independence of the private practice optometry office. If your goal is independence and being unique, we are your advocate.” Read the full press release here.