January 28, 2021 Trying to understand all of the complicated rules and regulations your practice needs to follow can sometimes feel like keeping up with the Joneses – but HIPAA isn’t the only compliance rulebook your practice needs to follow, and other laws (both new and old) impact your practice operations and your HIPAA compliance program – enter the HITECH Act. Whether it’s your first time visiting our news page (welcome!) or you’re a regular reader (welcome back!) you might’ve seen last week’s article covering the new HIPAA Safe Harbor bill that offers practices reduced HIPAA fines IF they have reasonable security safeguards already in place before a breach. The bill amends the HITECH Act to incorporate this change, but if you aren’t even sure what the HITECH Act really is, let’s take a step back and cover what the Act means for you and where these new changes come into play. The What The ‘Health Information Technology for Economic and Clinical Health’ Act, or HITECH Act (much easier to say), was signed into law way back in 2009 to essentially promote the implementation of health information technology, specifically the use of electronic health records (EHRs), by healthcare providers. Transitioning from paper to electronic records was (and still is) time-consuming and costly, and the HITECH act provided incentives for making the switch – while also ensuring that healthcare organizations along with their business associates remained in line with HIPAA law as they upgraded their systems. The Why So you might be thinking – well doesn’t HIPAA law already promote the secure usage of EHR’s? You’re right (high five!) but the HITECH Act goes one step further and expands the enforcement and strength of HIPAA regulations related to technical requirements within the HIPAA Privacy and Security Rules. Thanks to the HITECH Act, violation tiers were introduced, increasing financial penalties for HIPAA violations and ultimately giving the Office for Civil Rights (OCR) more money in the bank to go after non-compliant covered entities. The HITECH act was also designed to answer questions around how to offer the same HIPAA protections to electronic protected health information (ePHI), not just physical PHI, as practices went digital. This included: Where the HIPAA Safe Harbor Bill Fits In Fast forward to 2021, and all the same needs the HITECH act was introduced to fill still apply. However, the newly signed HIPAA Safe Harbor Bill helps to reinforce the value of these security measures with the new incentives offered and opportunity for reduced fines – and it’s one of the few pieces of new legislation you should actually feel GOOD about! So whether it’s HIPAA, HITECH, or the brand new Safe Harbor Bill – understanding and complying with each and every one of their requirements is essential to protecting your patients. Still not quite sure about what’s required? Don’t sweat it! Schedule a free consult with one of our HIPAA experts today to ensure you’re up to speed.
Public Health Emergency Extended Again: What it Means For Your Practice
January 22, 2021 I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021. While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better. When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear: PHI Disclosures Business Associates Telehealth 2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!
OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million
January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week. The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong! Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half. Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information. If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including: As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.” One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.
What is the New HIPAA Safe Harbor Law?
January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements. Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one? What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives: The next question – what does “recognized cybersecurity practices” mean? What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control. What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.
OCR’s First Settlement of the Year: More HIPAA Right of Access Violations
January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000. This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard. If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.” The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.
2020 HIPAA In Review
January 7, 2021 Sound the air horns, blare your favorite pump-up jam, let loose your last few New Year’s streamers – we made it through 2020! Some of us picked up a new hobby, some just made ‘staying sane’ a hobby (raising our hands over here), but the fact is we made it through the year and have come out ready to weather what 2021 will throw our way. We know, we know – we want to close the book on last year, put it away in a very heavily locked box, and tuck that box in a corner of the attic we’ll quickly forget exists too (just us?). So why on earth do we want to recap 2020 instead? Well, record-breaking HIPAA enforcement, emerging cyber threats, new audit data, and ongoing trends in HIPAA are probably worth remembering – especially if keeping up to speed means protecting your practice in 2021. So here’s a recap of what happened with HIPAA this past year, and what we can expect to continue moving forward: 1. HIPAA Waivers and Enforcement Discretions You probably remember February/March as an era of toilet paper hoarding and “sorry I was on mute” as we collectively figured out Zoom meetings. But it was right around this time the Department of Health and Human Services (HHS) officially declared a National Public Health Emergency (PHE) and implemented HIPAA waivers with limited enforcement discretions. These waivers provided additional leniencies for providers and their business associates to use and share patients protected health information (PHI) for very specific purposes related to the PHE, and allowed for greater flexibility with telehealth services. After several extensions of the declared PHE, these limited waivers are still in effect until January 20, 2021 – but that doesn’t mean your practice is off the hook. Ensuring that you are up to normal HIPAA standards, such as implementing compliant telehealth solutions before the PHE expires, is the best, and perhaps the ONLY way to protect your practice from a hefty fine. 2. Rising Cyberattacks In the midst of all the COVID-19 hysteria, the healthcare industry faced yet another plague – cyberattacks. Cyberthreats have reached all-time highs over the past year, with hackers leveraging public vulnerability and remote operations to their advantage. Healthcare data is ten times more valuable on the black market than credit card information and makes your practice a prime target for hackers. Many of 2020’s fines were the result of data breaches, most of which revealed a “systemic lack of [HIPAA] compliance” (as the OCR put it), and one of which resulted in the second-largest HIPAA fine to date of $6.85 million. While a cyberattack may be impossible to fully prevent, having a complete HIPAA program and reasonable safeguard in place is still expected. In short, if your practice doesn’t have basic HIPAA requirements like a Security Risk Analysis (SRA), the OCR will show no mercy in using a breach incident to slap your practice with a HIPAA fine. In addition, many business associates were hit heavily with cyberattacks, ransomware, and breaches in 2020. Having proper Business Associate Agreements, a HIPAA requirement is essential to protect your practice from liability if a cyberthreat were to impact one of your vendors. A missing agreement could leave your practice with a fine – even if the breach was completely beyond your control. Review or complete business associate agreements with any vendor who may fall in this category as soon as possible to protect yourself, and make sure your HIPAA program basics (including training, your SRA, and proper documentation) are all up to speed. 3. Patient Right of Access Featuring heavily in 2020’s enforcement efforts was the patient right of access initiative. This hot topic accounted for over 50% of 2020’s total settlements, ranging from $3,500 (the smallest HIPAA fine to date) to $160,000. Each practice affected failed to provide patients or their authorized personal representatives with access to requested medical records within the HIPAA-mandated time frame. In fact, two instances were only resolved after the individuals involved complained a second time to the OCR, and one covered entity didn’t provide the requested records until almost three years after the initial request was submitted. To put that in perspective, most state and federal regulations require records to be provided within 30 days of the patient request. This enforcement trend will only continue, especially as the Department of Health and Human Services looks to update HIPAA Privacy Rule provisions and enhance patient access to their health data in 2021. 4. 2021 and Beyond With increased enforcement, the likelihood of a HIPAA investigation has become a matter of ‘when’ instead of ‘if’. If your practice is a smaller one, the OCR has emphasized that you’re not immune – in fact, OCR Director Roger Severino recently urged the importance of compliance for “offices, large and small” as part of the OCR’s patient right of access initiatives. 2021 brings the opportunity to do more than just ‘make it’ through the year – the most important thing you can do for your practice is to get a complete HIPAA program in place now, before an incident occurs, to prove your compliance and avoid any costly HIPAA fines. Worried you might be missing something? Don’t stress! Register for a consultation with one of our HIPAA experts to learn what your practice must have in place when it comes to HIPAA compliance.
HIPAA Compliance Insights: Summit Takeaways and OCR Guidance
April 3, 2024 Happy Wednesday! Let’s crush the rest of the week! While we are battling our Hump Day blues, let’s turn this Wednesday into a learning opportunity. A HIPAA Summit was held, introducing new updates to HIPAA legislation. Want the quick 411? You’ve come to the right place! Part 2 Final Rule We go into more detail about this in our article here, but new legislation regarding the confidentiality of Substance Use Disorder patient records has been released. You need to know that: The full rule can be found here. Cybersecurity Resource Revision The National Institute of Standards and Technology, or NIST released some new resources for cybersecurity measures. These resources include explanations of the HIPAA Security Risk Analysis and actionable steps to implement these measures. To read more about these resources, click here. HIPAA Online Tracking Technologies Online tracking technologies have been at the forefront of recent compliance cases like the 300,000 dollar fine given to the NewYork-Presbyterian Hospital due to website tracking. The OCR is on it, issuing guidance on how to properly use tracking technologies. What you need to know is that when using tracking technologies: Enforcement Highlights Unfortunately, we’ve seen a major spike in patients impacted by HIPAA. In 2023, over 134 MILLION were exposed to a large HIPAA breach. What You Can Do First, sorry for the information overload, but it’s vital to know for your practice. By following these guidelines, you’ll provide an even more positive and secure experience for your patients. An easy way to stay compliant is with Abyde. The Abyde software offers a plethora of compliance resources, making compliance simple. We offer the latest information and entertaining training for your practice, always keeping you on your A-game. Want to avoid common HIPAA mistakes? Use Abyde! We turned the Security Risk Analysis into an intuitive questionnaire that can be completed in minutes. We also offer dynamically generated documentation, including Business Associate Agreements that can be completed in seconds! Want to see where your compliance currently stands? Email us at info@abyde.com and schedule a consultation here!
Abyde and Kaizen Tech Group Announce Partnership to Help Independent Dental Practices Comply With HIPAA Requirements
May 17, 2023 The partnership between Abyde & Kaizen combines their respective expertise in healthcare compliance & tech solutions to offer an unparalleled suite of services! “We are excited to have partnered with Abyde to bridge that gap in understanding and provide compliance to our practices in a continuously evolving technology landscape.”— Kaizen Technology Group’s CEO Jason McAninch CLEARWATER, FLORIDA, UNITED STATES, May 17, 2023/EINPresswire.com/ — Abyde, a leading provider of simplified HIPAA & OSHA compliance software, and Kaizen Technology Group, a premier provider of comprehensive IT solutions, are pleased to announce a strategic partnership aimed at delivering efficient and secure compliance solutions to the dental industry. Abyde and Kaizen Technology Group’s partnership combines their expertise in healthcare compliance and technology solutions to offer an unparalleled suite of services designed to streamline and simplify HIPAA compliance for providers. With an increasing focus on data security and privacy, this partnership seeks to address the growing compliance challenges faced by dental practices in an ever-evolving regulatory landscape. Abyde CEO Matt DiBlasi added, “As someone who started the early part of my career in the MSP/IT world, helping independent practices with their technology and security, I see the need to have strong partnerships with organizations like Kaizen Technology Group. As Abyde continues to grow within the dental space and across the country, we will strategically align ourselves with companies that can help Abyde customers get their technical safeguards in compliance.” Kaizen Technology Group’s CEO Jason McAninch said, “Compliance is a daunting, ever-changing task. Due to many complexities, a lot of private practices are left with more questions than answers on where they stand with their compliance. We are excited to have partnered with Abyde to bridge that gap in understanding and provide compliance to our practices in a continuously evolving technology landscape.” Through this partnership, Abyde and Kaizen Technology Group aim to empower dental providers with the tools and knowledge necessary to navigate the complex regulatory landscape and maintain the highest data privacy and security standards. By simplifying compliance processes and implementing robust IT infrastructure, this collaboration will help practices focus on delivering quality care to their patients. About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA and OSHA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that an easier, more cost-effective way for healthcare providers to comply with government-mandated regulations could exist. For more information on Abyde, visit www.abyde.com. About KaizenKaizen is a technology company based in Overland Park, Kansas that provides medical and dental practices with technology solutions, support, and maintenance. Kaizen specializes in private practice IT management and provides all-inclusive IT services and support for practices across the country. For more information on Kaizen, visit www.kaizen.dental.
North Texas Dental Practice, Fined $15K for OSHA Whistleblower Violations
March 3, 2023 Blow the whistle… No, not like the 2006 Too Short song but OSHA’s Whistleblower Protection Program. Whistleblower protection laws are in place to prevent retaliation against employees who report safety violations, discrimination, or other illegal activities in the workplace. Under the Occupational Safety and Health Administration (OSHA) Whistleblower Protection Program, employees who report such violations are protected from retaliation by their employers. This protection includes not only termination but also other forms of retaliation such as demotion, reduction in pay, or denial of overtime or promotions. Why would a practice retaliate for a complaint received instead of mitigating the risk and working toward a culture of compliance? That is a $15,706 question and unfortunately, Roger and David Bohannan of Roger H. Bohannan DDS Inc. have to answer. While on furlough in early 2020, a dental hygienist and dental assistant at the practice asked what coronavirus safety measures would be in place once patients and employees returned. When the practice did reopen, those two employees were not reinstated simply because they expressed their concerns and cited guidance from the Centers for Disease Control (CDC) and OSHA. Further investigation found that Bohannan Dentristry discriminated against employees for exercising their rights under section 11(c) of the OSH Act which prohibits retaliation by employers against workers who “blow the whistle” by exposing health and safety hazards. In a statement made by an OSHA Regional Administrator in Dallas, Eric S. Harbin, “Like all workers, these two people had every right to speak up without the fear of losing their jobs. We want workers to know that OSHA is here to protect their rights, and we won’t hesitate to exercise our authority when they are violated.” OSHA administers more than 20 whistleblower statutes, with varying time limits for filing. The time frame for filing a complaint begins when the adverse action occurs and is communicated to the employee. There are varying reporting deadlines from 30-180 days specific to each statute. It is important for employees to know that they have rights under the law to report safety violations and other illegal activities without fear of retaliation. Employers have a responsibility to provide a safe and healthy workplace, and OSHA’s Whistleblower Protection Program helps to ensure that employees can speak up when they see something that is not right.
Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions
March 11, 2024 Let’s be honest: compliance can be complicated. With all the regulations, sometimes it feels like you’re making mistakes you don’t even know. But with Abyde, it doesn’t have to be. We have an A-list Customer Success team, ready to answer your questions. This week, we’re rolling out the red carpet for these compliance experts We’re interviewing our CS celebs on the HIPAA and OSHA questions they receive the most. Read below to get the inside scoop on what you need to know for your practice. A child on a parent’s insurance just turned 18, while I know they have to sign consent forms, do the parents need consent to see or request their records? Sorry, new grown-ups! Parents do not need consent to see their child’s records, they can do so for the purposes of insurance, or payment. It has to be the minimum information shared. Oh no! An employee was poked with a contaminated needle and needs to be tested. Who is responsible for paying for the tests? The employer! It is the employer’s responsibility to take care of their employee in this situation. Whether it be through their insurance or Workers’ Compensation, or paying it directly, it is the employer’s responsibility. Why do I need a Business Associate Agreement, aren’t they already HIPAA compliant? First, Business Associate Agreements are a requirement of HIPAA, and outline the rights and responsibilities of a Business Associate (BA) and a Covered Entity’s (CE) partnership. The BA agreement keeps both parties on the same page and protects your practice if there is a breach on their end, having this documented expectation of a BA’s responsibilities. Why do I need to ask my employees if they’ve received their Hepatitis B vaccination? Well, if the employee has the potential to be exposed to Bloodborne Pathogens (BBP) or Other Potentially Infectious Materials (OPIM), the employer has to give them the option to be vaccinated. Depending on the state, your employees must be vaccinated against Hepatitis B. Do the doctors have to do HIPAA/OSHA Training? They own the practice. Yes, even if doctors own their practice, they still need to ensure compliance with HIPAA. All employees must complete training, even the owner of the practice. HIPAA regulations are designed to protect patients’ sensitive health information, regardless of whether the provider is part of a large institution or an independent practice. Therefore, doctors who own their practice must undergo HIPAA training to understand their responsibilities and ensure that their practice adheres to HIPAA regulations. Do I need to report my breach to the OCR? Just like a fender bender doesn’t require the same reporting as a 10-car pile-up, not all breaches need to be reported. For instance, breaches that affect 500 or more patients must be reported to the OCR. However, you will want to log ALL incidents in your Abyde Breach Log, even if OCR reporting isn’t necessary. As you can see, our compliance experts are here to clear up any compliance confusion for you. At Abyde, we want to simplify compliance for your practice or business, and our awesome CS team is a testament to that. To learn more about how Abyde is the solution for all of your compliance worries, email us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates.