April 2021

HIPAA

How HIPAA Impacts Your Practice

April 29, 2021 Gaurav Modi Comments Off

April 29, 2021 The book you started but never finished, the closet that’s in desperate need of some reorganization, and that dreaded check engine light in your car – there are plenty of tasks that we need to do but can’t seem to actually find the time for. Unfortunately without another set of hands and 10 extra hours in the day, it’s easy to avoid dealing with the items that aren’t at the top of our priority list and focus on the ones that are. And while there’s nothing wrong with setting some things aside for later, too often medical practices treat HIPAA compliance programs like homeowners treat cleaning out the gutters – a nuisance task that ‘I’ll get to later’. But given how important the law is to ensuring protected health information (PHI) is kept safe and secure, and how costly it can be for your organization if it’s not – HIPAA deserves a bit more precedence than it’s given. While it’s probably not always front and center and top of mind, HIPAA law plays a supporting role in your everyday work-life more than you might even realize. And with the common misconceptions around what the law actually is and what being fully compliant entails, it’s hard to give credit where credit is due. So to give HIPAA the much-deserved spotlight and prove how significant the law is to your daily operations, let’s take you through a day in the life of Sally Sue the Office Manager. Today’s just like any other day at the practice starting with Sally settling into her desk, logging into the practice’s EHR system, and listening to any voicemails missed from the night before. One patient called to request that her son’s medical records be sent to another provider and Sally (large coffee in hand, extra ready to tackle the day) returns her call right away to see whether she would like to have the records sent electronically or in a paper copy via mail. After the patient record request has been handled, Sally checks the appointment log and notices that one of the first appointments is with a new patient. So, as per the practice’s proper procedures for onboarding patients, Sally gets the Notice of Privacy Practices (NPP) and patient consent form all ready to be signed by the patient as soon as they check-in. After a busy morning of phone calls and appointments, Sally takes her lunch break and decides to sift through some of the practice’s unread emails. She notices an email that looks like it’s from a credit card company saying that there’s an overdue balance along with a link to make a payment. Since Sally’s always reading up on the latest news, she knows that phishing schemes are common especially in healthcare, and decides to call the credit card company to see if the email was legitimate. After receiving confirmation that it was in fact a scam, she immediately deletes the email and lets the HIPAA Compliance Officer know about the avoided issue and red flags to be on the lookout for. Luckily the rest of the day is crisis-free and Sally has some downtime to review the practice’s handbook and manual as she is working on transitioning over to managing everything electronically. In what seemed to have flown by, it’s just about 5:00 and the practice is getting ready to close. Unfortunately, today is one of Sally’s favorite colleagues last day before she moves out of state, and after enjoying some going-away cake and thanking her for all that she’s done – Sally collects her keycard, removes her from all user accounts, and changes access codes and passwords before logging out of her computer and heading home for the night. As you can see, and can probably relate, Sally had quite the busy day that definitely warrants a free pass from any spring cleaning and car maintenance that is still sitting on her “when I can get around to it” to-do list. BUT as you can also see, whether it’s responding to patient record requests, getting the necessary patient authorization forms signed, offboarding employees, or even just logging into the practice computer with a secure password – the requirements and safeguards outlined within the HIPAA Privacy and Security Rule weave themselves in and out of the majority of a practices daily operations. So if your practice handles HIPAA with as much of a keen eye as Sally does, you probably don’t have too much to worry about. But imagine if she hadn’t responded to that patient’s record request right away and they filed a complaint with the Office for Civil Rights (OCR). Or if she let the potential phishing email go unnoticed and hackers gained access to their sensitive data. Or if she had just forgotten to log out of the computer at the end of the day and there was a break-in overnight. Any one of these worst-case scenarios could’ve followed suit and ultimately resulted in a violation and hefty fine for the practice if HIPAA precautions weren’t kept top of mind throughout the day. Thanks to HIPAA, there are safeguards established to help prevent things like data breaches and patient complaints from happening and laws in place to actually mandate that healthcare organizations uphold the standard. So no matter how busy life gets, protecting patients’ sensitive information is not something that you can just save for a rainy day – and ensuring that you have a complete HIPAA program in place that meets all government requirements should always be a priority.

Best Practices, Fines

OCR Alert Warns of Postcard Disguised as Official Government Communication

April 28, 2021 Gaurav Modi Comments Off

April 28, 2021 You’ve got mail! The Office for Civil Rights (OCR) just issued an alert warning of a potential HIPAA scam hitting your mailbox that you should be on the lookout for. The government was recently made aware that postcards disguised as official OCR communication were being sent to health care organizations informing recipients that they needed to complete a “Required Security Risk Assessment” and directing that completed assessments be sent to a non-governmental marketing consulting website that has since been taken down. This hand-delivered scare tactic came from a private entity and should NOT be mistaken as an official notification from the OCR or the U.S. Department of Health and Human Services (HHS). In addition to keeping an eye out for these counterfeit postcards, the OCR recommends verifying any and all “government” communications to ensure they’re actually official and alerting all staff members to do the same. They suggest looking for the OCR email address, which will end in @hhs.gov, and recommend asking for a verification email from the OCR investigator’s hhs.gov email address. The OCR also provides the addresses for their HQ and Regional Offices which can be found at https://www.hhs.gov/ocr/about-us/contact-us/index.html and should be confirmed are properly listed in any communications received. This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams. Back in August of last year, a similar incident occurred where fraudulent postcards labeled on the OCR’s behalf were notifying healthcare organizations to complete a mandatory HIPAA compliance risk assessment and directing them to another marketing consulting service website. So while fake postcards seem to be a common approach, it’s important to be aware of any and all types of HIPAA scams, especially as hackers and other organizations with malicious intent get more and more creative in their efforts. Though this postcard is by no means an official communication from the government, the mandatory Security Risk Analysis (SRA) at its focus should not be overlooked. So if fulfilling this HIPAA requirement brings more cause for concern than the scam itself, you’re not alone. In fact, the OCR’s latest audit industry report found that only 14% of covered entities and 17% of business associates had a proper SRA in place. So if your practice falls into the large majority of those that aren’t up to these HIPAA standards, this OCR alert should give you even more reason to do so and a software solution like Abyde gives you all the tools and resources needed to get there.

Oregon Optometric Physicians Association Partnership

Partner News

Oregon Optometric Physicians Association & Abyde Partner To Deliver HIPAA Compliance to Independent Eye Care Providers

April 21, 2021 Gaurav Modi Comments Off

April 21, 2021 Industry-leading HIPAA compliance solution provider Abyde and Oregon Optometric Physicians Association (OOPA) today announced a partnership that will offer Abyde’s simplified and comprehensive HIPAA program to OOPA’s members. This year has already seen several updates to government requirements and new legislation such as the 21st Century Cures Act that recently took effect earlier this month – which has made keeping up with the latest changes in HIPAA that much harder for providers to manage on their own. Abyde’s partnership with OOPA will help even more Oregon eye care professionals to easily implement and maintain a complete HIPAA program that makes meeting mandatory government requirements simple. Abyde’s software solution is the easiest way for any sized eye care practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Our latest partnership with Oregon Optometric Physicians Association will deliver Abyde’s revolutionary solution to their members and help them easily navigate through the complexities associated with meeting HIPAA standards,” said Matt DiBlasi, President of Abyde. “We are excited to share valuable tools and resources with even more of Oregon’s eye care professionals and help them meet essential government requirements in the easiest way possible.” “Teaming up with Abyde is a testament to our mission of advancing the professional practice of optometry and we are thrilled to partner with an organization dedicated to helping providers easily manage a complete compliance program,” said Geoff Knapp, executive director. About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Oregon Optometric Physicians Association OOPA’s mission is to promote, protect and advance the professional practice of optometry. Read the full press release here.

Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Gaurav Modi Comments Off

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling. Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur. As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined: Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider. A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

Best Practices, HIPAA

What is the HIPAA Whistleblower Exception?

April 8, 2021 Gaurav Modi Comments Off

April 8, 2021 Acting out a word or phrase in a game of charades is a perfect party activity but playing a guessing game isn’t as fun when it comes to reporting a work-related incident. Whether you’re taking part in a round of “Guess Who” or just following your practice’s policies and procedures, not everybody will play by the rules – and unfortunately, hackers and those outside your organization with malicious intent aren’t the only ones that pose a potential risk to your patients’ protected health information (PHI). It’s more common than you might think to see the biggest offenders of improper access and disclosure actually come from inside your organization. When and if you uncover an internal incident, knowing how to report the so-called rule-breaker without violating HIPAA yourself can feel like a major game of guesswork. So what happens if you notice Sally Sue making copies of a patients’ health records for non work-related reasons? Or catch Doctor Dan improperly administering prescriptions to patients? Given how heavily privacy and security protections emphasize proper PHI disclosure, it’s not uncommon to be wary that reporting a HIPAA violation could actually implicate you in a violation yourself. But even if you’re a pro at charades, reporting an incident without giving away the nitty-gritty details to build the case is not easy and certainly not effective. So while HIPAA does establish privacy and security standards that prevent the release of PHI, there is a caveat (if specific criteria is met) for bringing light to malicious activity happening within the practice – a.k.a the HIPAA Whistleblower Exception. What are the HIPAA whistleblower exception requirements? Despite the name, ‘whistleblower exception’ has nothing to do with whistles and everything to do with protecting staff and patients from facing any backlash if they report any unlawful conduct within a practice. Under the exception, it is not considered a violation of the HIPAA Privacy Rule if a staff member or business associate discloses PHI, as long as they believe in good faith that either: The exception is a two-part process and after determining whether the incident meets the requirements for what can be reported, the next move is knowing who you can and can’t actually make the disclosure to. We recommend first going to your HIPAA Compliance Officer (HCO) to help assist you in best handling the situation (as long as they aren’t involved in the incident themselves). But the whistleblower exception also provides additional provisions for whom the disclosure can be made to that include: While we’d like to hope that everyone within your organization plays fair and square, in the case that you do happen to catch a coworker snooping through patient files – it’s important to know who you can disclose the incident to and that you can include specifics like the patient name and type of health record that was accessed. So if the requirements are met and followed properly, employees can safely report any non-compliant behavior without fearing that a HIPAA violation or termination letter will follow. Wondering whether or not you can take action to protect patients’ privacy and security should never be a guessing game and thanks to the provisions outlined in the HIPAA whistleblower exception, the cards are stacked in your favor.

Partner News

Abyde joins forces with Dental Ops to deliver HIPAA compliance solutions to independent dental practices

April 7, 2021 Gaurav Modi Comments Off

April 7, 2021 April 7, 2021, Tampa, FL – Abyde, offering user-friendly HIPAA compliance software solutions, announced today a new partnership with Dental Ops to deliver industry-leading HIPAA compliance solutions to dental practices and professionals across the nation. With new legislation such as the recently passed HIPAA Safe Harbor Law and the upcoming 21st Century Cures Act taking effect in early April, it continues to prove challenging for independent practices to keep up with the changing regulatory environment. Abyde’s partnership with Dental Ops will help even more dental practices manage HIPAA compliance programs by providing a simple solution that meets all government requirements. Abyde’s software solution is the easiest way for any sized medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “We empathize with the challenges providers have trying to meet complex and ever-changing HIPAA requirements. This is especially true today as so many dentists are continuing to feel the effects of COVID-19 coupled with their already heavy workload,” said Matt DiBlasi, President of Abyde. “We are thrilled to team up with Dental Ops to ease the HIPAA compliance burden by implementing our revolutionary software solution for dental practices nationwide. “Dental Ops is proud to offer our users only the best products and services, and we’re thrilled to partner with an organization dedicated to helping dental providers navigate the complexities of HIPAA compliance,” said Matthew Jarvis, President of Dental Ops. “We know our users will find instant value in the peace of mind and simplicity Abyde offers.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Dental Ops The Dental Ops team now provides Back-Office administration to Dentists nationwide, reducing in-office expense and headache! From Insurance verifications & claims follow-up, to Risk Management & accounting processes, to HR & payroll. Read the full press release here.

HIPAA, Legislation

Premiering Now | The 21st Century Cures Act

April 2, 2021 Gaurav Modi Comments Off

April 2, 2021 Roll back the curtains and cue the drumroll because it’s the moment we’ve all been waiting for… the 21st Century Cures Act is finally making it’s big debut. The newest legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is officially effective on April 5, bringing several advancements to healthcare and technology that are sure to live up to the hype. So if you’re a healthcare provider and you use any sort of healthcare application, we hope you have your popcorn ready because this one’s for you! So let’s take it from the top – what even is the 21st Century Cures Act? The HITECH Act and more recently the HIPAA Safe Harbor Law have already set the stage, providing legislative requirements that put technology and healthcare in the spotlight. But the Cures Act goes one step further as the sequel to these health IT related laws, outlining how practices and healthcare app developers can overcome the balancing act of giving patients easy access to their electronic protected health information (ePHI) while still maintaining data privacy and security. Ultimately, patients play the starring role in the Cures Act requirements. Getting the red carpet treatment to access their health records in the ways that they want to receive it – whether that be an app, another EHR, or similar electronic system. Having this ‘patients-first’ focus is at the center of HHS’s work toward a value-based health care system and enables: How does it impact me? This star-studded set of legislation features a ton of improvements for healthcare and technology that you definitely don’t want to miss. So now what?! Wondering how this new law changes HIPAA requirements? Spoiler alert – it doesn’t. All of those HIPAA requirements surrounding data privacy and security, proper disclosure, and patient record access requests are still featured within the new legislation and should not be forgotten. Having a complete HIPAA compliance program in place is the groundwork for protecting patient data, and underscores what the Cures Act entails. Now, if recent enforcement efforts haven’t given you enough of a preview, the government is a tough critic for noncompliance. So much so that in the latest round of HIPAA audit results, 94% of covered entities’ compliance efforts were rated as a total flop. So having a complete compliance program that meets all requirements (including the new ones we just covered) is key to keeping your practice out of the limelight of enforcement and avoiding an Oscar-worthy HIPAA fine.