March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par. Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course. The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation. It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.
OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement
March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect. Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA. Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation. With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying. So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.
HIPAA vs Online Reviews: A Primetime Matchup
March 18, 2021 Let’s face it, social media and the internet tend to call the plays when it comes to our decision-making. Whether you’re shopping for a new car or just deciding between tacos or pizza for dinner, seeing a one-star review pop up under your Google search is a total red flag. So, when 95% of patients say that online reviews are reliable and over 70% say that reviews have influence over their choice of physician – being on the receiving end of a bad review can feel like a total cheap shot. There’s really no such thing as pleasing everyone – and as a practice owner, having to deal with some unhappy patients just kind of comes with the territory. Even all-star’s get the occasional “boo” from the crowd and seeing a patient post “100% would NOT recommend!!” about your practice can be a hard hit to recover from. As much as we all want to come to our own defense, choosing to fight back does a lot more damage than just taking the ‘L’ in the online face-off with a patient. Just take it from the dental practice who was slammed with a $10,000 fine for including sensitive patient information in their response to a Yelp review. You might be thinking if someone submits a review about my practice aren’t they already admitting that they’re a patient themselves? Though you aren’t totally wrong, HIPAA law is in place to protect patients’ privacy – and a patient submitting a review is NOT authorization for you to go and release their sensitive information when responding. So, while there might not be a winning playbook for how to keep your patients happy, there are some guidelines for how to best handle online reviews: Since there’s no one-size-fits-all response for any and every online review, your practice may receive some feedback that seems a bit out-of-left-field, and knowing how to handle it might be tricky. So to give you some sideline practice, let’s pretend you just received this negative review: “I had to wait over an hour to be seen and the doctor was rude and rushed through my appointment. Overall it was a terrible experience and I will not be back.”– Negative Nancy A bad response for your practice would be: “We’re sorry you had a bad experience during your appointment, however, our records show that you were late to your appointment which therefore caused a delay in your wait time.” A HIPAA-compliantresponse would be: “Our practice’s scheduling policy allows for adequate time with the doctor in order to keep our appointments running on time. However, due to emergency situations, it is possible for us to run behind schedule occasionally. We appreciate your feedback and are committed to providing the best patient care; you’re always welcome to contact our office if you would like to discuss further.” It’s pretty easy to see why response #1 would probably end up on Sportscenter’s Not Top 10 Plays of the Week – but unfortunately, we are seeing more and more real-life examples of practice comments similar to this one. With patient complaint numbers on the rise and proposed regulation updates centered around improving patient rights, the Office for Civil Rights (OCR) has definitely made it clear that they’ll be bringing their “A” game on HIPAA enforcement. Online reviews (both good and bad) should be handled with extreme care not only to protect your practice’s reputation amongst prospective patients but also to avoid any flags thrown by the OCR. So, while we hope that you won’t have to go head-to-head with a one-star Google review anytime soon, following HIPAA best-practices when and if you do will be the ultimate game-changer.
Abyde joins forces with Maine Medical Association to deliver HIPAA compliance solutions to independent medical practices
March 17, 2021 March 17, 2021, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for independent practices, today announced it has teamed up with Maine Medical Association (MMA) to deliver comprehensive HIPAA compliance solutions and education to MMA members. In light of the continued Office for Civil Rights (OCR) enforcement efforts seen over the recent months in addition to proposed HIPAA changes, there is no better time for practices to ensure they have a complete HIPAA program in place. Abyde’s collaboration with Maine Medical Association showcases efforts to help MMA practices meet this need and will provide MMA members with all the necessary tools and support to manage HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Our collaboration with Maine Medical Association emphasizes the value and peace of mind providers have found with Abyde’s comprehensive solution,” said Matt DiBlasi, President of Abyde. “We understand the difficulty for practices to keep HIPAA compliance a priority especially as regulations are constantly changing, and we couldn’t be more excited to help alleviate the HIPAA-stress from even more independent providers.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. Read the full press release here.
Comment Period Extended for Proposed HIPAA Privacy Rule Modifications
March 11, 2021 HIPAA law is officially getting with the times thanks to the proposed Privacy Rule modifications that are giving the “prehistoric law” a new modernized look. While the planned updates were officially announced last December, the Department of Health and Human Services (HHS) has just added a 45-day extension on the comment period – giving the public some more time to weigh in on what they want they want the updated legislation to cover. The original HIPAA Privacy Rule came on the scene in 2003 – you know, like when disposable cameras and listening to Shake Ya Tailfeather by Nelly on your iPod were cool? With as much as technology has changed the world around us, it only makes sense that the laws governing data protection follow suit. Especially since they haven’t changed since being created in the “stone-ages.” The new proposed changes go hand-in-hand with the evolving needs of patients and providers to address the issues of patient right of access and “unnecessary regulatory burdens.” Each of these have proven to be trending areas of focus in recent OCR enforcement efforts with three out of the four settlements announced in 2021 resulting from right of access complaints. But improving patient rights and boosting care coordination isn’t only in the government’s best interests, “OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” Acting OCR Director Robinsue Frohboese stated in response to the recent announcement. “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.” Now, we know what you’re probably thinking – is there really a high degree of public interest over HIPAA???? While the idea might come as a bit of a surprise – the major spike in patient complaints, data breaches, and government enforcement seen over just the past year have given the law some new-found fame. And since everyone loves a good comeback story, this HIPAA revival has proven that staying up on the latest and greatest in regulation changes is worth keeping on your radar. So, even though the new extension buys you some more time to comply with the proposed updates – it’s never too early to meet mandatory HIPAA requirements. Unfortunately, the reality is that most practices today would need to perform an excavation, chiseling through mountains of dust, to bring their HIPAA compliance program out of the dark ages. If your compliance program resembles something that hasn’t been touched since Tom ruled MySpace, getting up with the times is not an option and upgrading to an electronic HIPAA solution is the perfect place to start. Want to put in your ‘two cents’ on the proposed Privacy Rule updates? Just visit the Federal Register to read the official rule proposal and submit your comments!
Does having a ‘HIPAA Compliant’ Seal Make You Compliant?
March 3, 2021 Short answer? Nope. Long answer, having a ‘HIPAA compliant’ seal can actually get you in hot water – just ask SkyMed International, Inc., who was hit with a 20-year corrective plan – no, not by the Office for Civil Rights, but by the Federal Trade Commission (FTC). FTC? What? That’s right, this recent HIPAA related event actually got a business in trouble for displaying a ‘HIPAA Compliant’ seal, when the organization falsely advertised their ‘compliance’…except that they ended up experiencing a massive data breach exposing the sensitive information of over 130,000 individuals and after investigation were found to be anything but HIPAA compliant. So, when it comes to those ‘seals of compliance’ you’ve probably heard about or seen around, in most cases they don’t mean anything – and could actually wind up getting a practice in trouble for false advertising. There’s no industry certification around HIPAA – trust us, we would be first in line if there was! – and having a certified statement is also a no-go, since there’s no legitimate organization that offers those certifications to back it up. If you DO have a HIPAA seal or badge of some kind, don’t panic! That doesn’t mean you’re in trouble – depending on what your seal proclaims. Where the FTC raises the red flag is if there’s any statement of ‘compliance’ included. On the flip side, consumers can get peace of mind when they know their healthcare provider has a compliance program (note, program, not statement OF compliance) in place. So if you indicate that you follow HIPAA best practices, carry on! If, however, your website states that you ARE compliant, you may want to double-check your verbiage before the FTC gets involved. As much as we wish HIPAA could be as simple as just following a checklist once and receiving a nice shiny badge of compliance that your practice’s website could wear proudly, it’s not. HIPAA compliance is an ongoing process and requires constant review and updates for ANY organization, regardless of their size or specialty. So while a compliance seal isn’t an option – maintaining a complete compliance program is (and a required one at that!)
Abyde expands HIPAA compliance solutions to serve enterprise-level organizations
March 2, 2021 Abyde, a user-friendly HIPAA compliance software solution designed for independent providers, today announced the launch of a new complementary Enterprise product designed with medium to large organizations in mind. HIPAA compliance has remained a priority for the Office for Civil Rights with historic enforcement activity in 2020. Recently announced audit data revealed only 2% of covered entities met all HIPAA compliance requirements, and only 14% completed the required Security Risk Analysis to assess their physical, technical and administrative safeguards. For larger organizations, implementing an efficient HIPAA compliance program for multiple locations has remained a daunting task. Abyde Enterprise works to solve these HIPAA headaches, allowing HIPAA program administrators to easily navigate between locations, view their compliance program at a glance, and simplify shared compliance responsibilities with an innovative multi-user functionality. The complementary product reimagines Abyde’s already industry-leading features, which guide providers through mandatory HIPAA requirements, with new tools and reporting capabilities to better serve organizations who have 2 to 2,000 locations. “Abyde Enterprise is a game-changer for larger organizations and just another example of how Abyde is revolutionizing HIPAA compliance,” said Matt DiBlasi, President of Abyde. “We’re thrilled to bring to market a one-of-a-kind solution that will truly make HIPAA compliance as easy as possible for companies who must effectively manage multiple locations.” “Abyde Enterprise is all I’m ever going to need for HIPAA compliance,” said Amanda Bailey from Triad Eye, an Abyde user who recently upgraded to Enterprise. “I’ve been really impressed how Abyde Enterprise might be even easier to use than standard Abyde – which I could have never thought was possible! Every multi-location practice out there should be using Abyde Enterprise!” About Abyde Abyde is a healthcare technology company on a mission to revolutionize HIPAA compliance for medical professionals. Launched in 2016, Abyde has become the preeminent solution for independent practices to achieve and maintain government-mandated HIPAA compliance, serving thousands of practices of all sizes across the nation. The industry-leader, Abyde combines an intuitive software with personal support for an experience so simple, ‘easy’ is an understatement. To see how, visit abyde.com today. Read the full press release here.