May 28, 2021 News reports centered around patient privacy and COVID-19 seem to break on the daily – bringing newfound fame to HIPAA law and even more speculation on what is – and isn’t – covered within its requirements. Most recently, the conversation of vaccinations has been a trending headline with the question of ‘HIPAA violation’ commonly featured. So while there’s still plenty of uncertainty where COVID-19 is concerned, hopefully, we can at least shed some light on where HIPAA truly comes into play. When it comes to the commonly asked question of whether HIPAA protects against employers and other businesses requesting vaccination records, the short answer is no. HIPAA law only applies to covered entities which therefore means that private businesses and citizens are not obligated under the stringent data protection laws and CAN ask about vaccination status. However, patients do have the right to not disclose their own health information and can choose to decline to answer, but based on state-specific laws and company requirements there may be repercussions as a result. In a quote from Kayte Spector-Bagday, a lawyer and bioethicist at the University of Michigan, she highlights the popular misconception in saying, “People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer.” So where does HIPAA come in? As we just mentioned, healthcare organizations and their business associates are liable under the federal law meaning that your practice can NOT disclose vaccination information (or any protected health information for that matter) unless direct patient authorization is granted. So, say a patient’s employer calls your office to ask about their employee’s vaccination status. Well, because of the standards outlined in the HIPAA Privacy Rule, you cannot disclose any sensitive health information without patient consent, and doing so would result in a HIPAA violation. While vaccination status and test results are the trending topics at the moment, it’s important to note that these stipulations go for any and all types of patients’ health information, not just what’s related to COVID-19. And while the current state of the public health emergency still leaves a lot of unanswered questions – when it comes to your practice’s ability to disclose protected health information (PHI), HIPAA law still applies.
OCR Announces HIPAA Settlement with Peachstate Clinical Laboratory for Security Rule Violations
May 25, 2021 No matter the time of year, HIPAA enforcement never goes out of season and we have today’s announcement from the Office for Civil Rights (OCR) to prove it. The latest HIPAA settlement and sixth of the year involves Peachstate Health Management, LLC – a Clinical Laboratory based out of Georgia who provides diagnostic and laboratory-developed tests. The violation stemmed from Peachstate’s failure to meet several of the HIPAA Security Rule requirements and led to a $25,000 fine and 3 year corrective action plan issued by the OCR – a result that probably didn’t leave the organization feeling too peachy afterall. So what happened? Well it may seem like comparing apples to oranges when looking at what triggered this settlement versus the ones we’ve recently seen centered around patient right of access violations and large cyberattacks. But the latest violation resulted from a variety of different and very relevant factors from data breaches to telehealth and business associates with systemic noncompliance at its core. It started back in 2015 after the U.S. The Department of Veterans Affairs (VA) reported a data breach involving their telehealth services program managed by its business associate, Authentidate Holding Corporation (AHC). A year later, the OCR initiated an investigation into the business associates’ compliance program where they uncovered that AHC and Peachstate had earlier entered into a reverse merger in January of 2016 whereby AHC acquired Peachstate. As a result of this finding, the OCR opened up another compliance review into Peachstate and found that the clinical laboratories were ripe for the picking in their ongoing noncompliance in the following key areas: In addition to the fine and extensive corrective plan that the OCR issued, their response to the incident and message for other healthcare organizations is the cherry on top and should not be taken lightly. “Clinical laboratories, like other covered health care providers, must comply with the HIPAA Security Rule. The failure to implement basic Security Rule requirements makes HIPAA regulated entities attractive targets for malicious activity, and needlessly risks patients’ electronic health information,” said Robinsue Frohboese, Acting OCR Director. “This settlement reiterates OCR’s commitment to ensuring compliance with rules that protect the privacy and security of protected health information.” So in other words – the only way to avoid being the low-hanging fruit for a HIPAA violation is ensuring that your healthcare organization has met these basic standards that Peachstate was missing. And while an apple a day might keep the doctor away, this latest settlement is yet another example of why having a complete compliance program in place is so essential to keeping your practice away from OCR scrutiny and avoiding a HIPAA fine like this one.
Abyde partners with Arizona Dental Association to provide comprehensive HIPAA compliance solutions to Arizona dental practices
May 12, 2021 May 12, 2021, Tampa, FL – Today, Abyde announced their latest partnership with the Arizona Dental Association that will help deliver their user-friendly HIPAA compliance software solution to AzDA members. This latest collaboration with the Arizona Dental Association further proves Abyde’s continued efforts to help independent dental practices meet mandatory government requirements in the simplest way possible. The partnership will provide AzDA members with essential tools to achieve HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “As the government continues to show a clear focus on HIPAA non-compliance, having a complete and ongoing compliance program in place is more important now than ever,” said Matt DiBlasi, President of Abyde. “Teaming up with the Arizona Dental Association will provide Abyde’s intuitive compliance solution to even more of Arizona’s dental providers, giving them confidence and peace that their HIPAA program is up to par.” “The Arizona Dental Association is excited to work together with Abyde to provide our members with the tools to help achieve HIPAA compliance,” said AzDA Manager of Communications/Business Development Jeremy Tuber. “We’re hoping our members find instant value in the Abyde solution.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About AzDA The Arizona Dental Association (AzDA) is the voice of dentistry in Arizona. With over 2,500 member dentists, the AzDA is dedicated to empowering members to advocate for better oral health of Arizonans and provide the highest quality care for their patients. Read the full press release here.
HIPAA Protected Health Information
May 7, 2021 Most healthcare professionals understand many of HIPAA’s regulations are all about safeguarding protected health information (PHI), but there is much confusion in attempting to define what PHI actually is and is not. We all know that things like social security numbers and bank account information should be kept under lock and key but it’s not just the obvious details that could be used maliciously. These are only two examples of the 18 different identifiers that constitute PHI and all it takes is for just one to fall into the wrong hands for your practice to have a HIPAA breach on yours. So ensuring that you’re fully safeguarding this sensitive data starts with having a complete understanding of what needs to be protected and knowing why it’s so important that you do. What are PHI and ePHI? PHI can be defined as any personal health data created, transmitted, received, or stored by a covered entity and their business associate (BA) that could potentially identify an individual. Now between the many documents, forms, records, and other communications that your practice handles on a daily basis – PHI is more than likely featured on most if not all of these things. As you probably already know, and the 86% of providers currently utilizing Electronic Health Records (EHR) can attest to, many of these communications are done so electronically and therefore contain electronically protected health information (ePHI). So whether the information is transferred, received, or simply saved on paper or in an electronic form – if it consists of any one of the following identifiers of PHI, it needs to be properly protected: Why does it need to be protected? So now that you know what fits the bill of PHI – it’s important to know why and how it should be protected. To hackers and other individuals with malicious intent, a healthcare practice containing patients’ sensitive information is a gold mine considering a single medical record can be valued up to $250 on the black market. Now to put that into perspective, financial and banking information is only valued at $5.40 – so why such a large price tag on PHI? Well, unlike a credit card – if your sensitive health information gets into the wrong hands you can’t just cancel the card or change your information. Healthcare data breaches are hard to detect, and once that sensitive information is out there, it’s much more difficult to get back. How should it be protected? As you can see from the 18 identifiers listed above, PHI comes in many different shapes and sizes and requires more than just having locks on your doors and passwords on your computers to keep out of harm’s way. HIPAA law outlines how PHI should be protected in its Security and Privacy rule requirements – providing administrative, technical, and physical controls that are all essential for securing patient data. While these safeguards help to protect PHI when it’s being stored and handled within your practice, encryption is key to maintaining data integrity when it’s being sent or received and proper disposal is crucial when the PHI is no longer needed. So now that you know the what, why, and how – let’s talk about the who. With patient complaints and data breaches continuing to take on all-time highs, it’s more important now than ever to ensure that everyone who works with your patients’ PHI is doing so properly. Best protecting your patients means conducting regular HIPAA training for all staff members, having signed business associate agreements with all third-party vendors, and maintaining a complete compliance program that meets these government requirements and encompasses all the necessary safeguards. While understanding exactly what PHI is and how it should be protected might still be a bit confusing, thanks to Abyde, it doesn’t have to be! Meeting HIPAA standards and safeguarding PHI has never been easier with Abyde’s revolutionary approach and team of HIPAA experts there to support you every step of the way. Schedule a complimentary one-on-one consultation to learn more!