June 21, 2021 Imagine if each sport didn’t have its own set of rules – we’d have baseball players tackling each other in the outfield and hockey players kicking the puck down the ice in front of a stadium full of confused fans with not a clue as to what they’re supposed to be cheering for. These unique sets of guidelines tailored specifically to each sport enable athletes to excel and spectators to appreciate what they’re watching. Without them, the games wouldn’t make much sense. So while the excitement of HIPAA is nowhere near anything you might find in a sports arena, having a rulebook specific to your organization is essential to ensuring patients’ sensitive information is being handled properly and HIPAA requirements are being upheld. HIPAA law came into play back in 1996 to set a national standard for how protected health information (PHI) should be handled and protected. Part of its requirements include the implementation of reasonable and appropriate policies to comply with these standards, but what exactly does reasonable and appropriate mean? Essentially, your organization is required to have policies and procedures in place to set expectations for how PHI should be handled as well as guide daily work operations and ensure consistency in patient care. But just as the specific rules differ for a game of football versus tennis, a small eye care facility has different expectations and work operations than a large hospital would – and therefore requires its own unique HIPAA rulebook. What Do These Documents Include? For any HIPAA fanatics out there, you might already be familiar with the Security Rule’s provisions around the administrative, technical and physical safeguards necessary for protecting PHI which cover a wide range of requirements like completing a Security Risk Analysis (SRA), implementing facility access controls and maintaining up to date asset logs. So in looking at the documentation requirements, your policies should outline these required safeguards as well as the standard procedures for your organization to implement these protections. While the full list of documents and their included content will vary based on your organization’s size and specialty – there are some must-have elements that each rulebook should contain, including: How Should These Policies & Procedures be Implemented? While the list provided above is definitely extensive and probably brings along an image of an overflowing HIPAA manual, it’s only a sample size of all the policies and procedures that your organization could potentially need to implement. And while yes, you can find templates for the majority of these policies online and even some directly on the HHS website, they lack an especially important element to the HIPAA requirement – customization. The latest HIPAA Industry Audit Report uncovered widespread non-compliance for the policy and procedure requirement – a major red flag being the common usage of “template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation” (their words not ours). This lack of entity-specific evidence came as a result of organizations not including details like their practice name and HIPAA Compliance Officer (HCO) contact information within each policy document – which are important elements of actually fulfilling this requirement. In addition to providing specific details about your organization itself, another piece to the “customization” requirement is taking into consideration certain state laws that might take precedence over HIPAA. It’s important to ensure that policies including things like breach reporting and responding to record requests meet the most stringent timeframes and requirements that apply to where your facility is located. So in order to meet this important HIPAA standard, the ball is truly in your court. As new opponents like legislative changes, technology advancements, and evolving patient needs require adjustments in your organizations’ operations – your policies and procedures must reflect these updates accordingly. But having the proper documentation and specific content included isn’t all that’s needed to make the cut. Providing employee training on a continual basis is essential to getting staff members up to speed on how they should be running the plays and ensuring that PHI is being handled correctly within your practice. So when it comes to developing a winning HIPAA strategy, having a comprehensive set of properly documented policies and procedures that are understood and followed by everyone within the organization is the best way to stay in the HIPAA compliance game.
What is a HIPAA Notice of Privacy Practices & Why Do You Need One?
June 10, 2021 Whether you’re a self-appointed 5 star chef or an Uber Eats connoisseur, you know that skipping one small ingredient (or forgetting the guacamole on your Chipotle burrito) can throw the whole meal off. And while there aren’t many similarities between cooking up your famous casserole dish and implementing a complete HIPAA program – both require various steps that are each essential to the final product. So amongst the exhaustive list of HIPAA essentials like the Security Risk Analysis (SRA), annual staff training, business associate agreements, and more – falls an important and often overlooked ingredient in achieving compliance, the Notice of Privacy Practices (NPP). What is it? Under the HIPAA Privacy Rule, covered entities are required to provide patients with a notice that states how their protected health information (PHI) will be used and shared. In a nutshell, the purpose of the document is to clearly outline the practices you have in place to protect the privacy of sensitive data (hence the name Notice of Privacy Practices) along with your organizations’ legal responsibilities and patients’ rights to their own PHI. What’s in it? Creating a proper notice requires a little prep work, so in looking at the meat and potatoes of what goes into this important HIPAA document, the NPP should include a description of the following: How do I provide it? It’s one thing to have all of the ingredients needed for the NPP but the part that often gets healthcare organizations in a pickle is determining how to properly securely serve it to patients. Typically, the notice is given to a patient at their first appointment along with other important documents like the HIPAA authorization form. But simply getting a copy signed once isn’t all that’s needed. Most practices don’t understand it’s a HIPAA requirement to also post the notice in a clear and easily accessible location to the patient. Additionally, if your practice has a website, a copy of the NPP should be posted and readily available there as well. Why is it so important? Compared to the many other more complex pieces of a complete HIPAA program, putting together a Notice of Privacy Practices seems almost as easy as whipping up a box of Kraft Mac and Cheese. However, according to the most recent HIPAA Audit Results, only 2% of covered entities fully met the NPP requirements while two-thirds failed to or made minimal or negligible efforts to comply. So why is there such an overwhelming amount of noncompliance for a relatively easy standard to meet? Well, the report found that many entities audited were able to submit some type of document but the majority could not provide a notice that was written in plain language and most were missing required content often related to individual rights. In addition to the widespread lack of proper content within the notice, the report also found that many entities failed to meet the prominently posted requirement. This meant that even if the entities had the notice and posted it on their website – if it wasn’t easily accessible from the website’s homepage it didn’t cut it in the OCR’s books. Some food for thought? Having a complete compliance program in place starts with following the recipe of HIPAA requirements. Ensuring that your practice has a properly written and accessible NPP might one be a small piece of the whole HIPAA pie – but just like forgetting to add yeast when baking the crust, missing one requirement – even if you have everything else in place – can cause all of your other compliance efforts to fall flat.
Abyde teams up with AlignLife to deliver simplified HIPAA compliance solutions
June 9, 2021 June 9, 2021, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for independent practices across the United States, is thrilled to announce their ongoing expansion and new partnership with AlignLife as their preferred HIPAA compliance provider. Together with AlignLife, Abyde will provide essential HIPAA compliance programs designed to complement chiropractic practices’ day to day operations. The partnership will give AlignLife practitioners exclusive access to a comprehensive HIPAA compliance solution that helps meet government-mandated requirements and safeguard against the recent rise in HIPAA violations and data breaches. Abyde’s software solution is the easiest way for independent providers to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides practices through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, dynamically generated policies and more. “We are honored to join AlignLife in providing tools that enhance workflows for their providers and practices – allowing them to focus on their patients, not administrative burdens,” said Matt DiBlasi, President of Abyde. “HIPAA compliance is a necessity for independent providers and we look forward to bringing education and resources to simplify meeting these complex government requirements.” “AlignLife is focused on improving independent practice management and our partnership with Abyde is a step in the right direction for our providers to ensure compliance,” said Keri Quin, Director of Franchise Support. “We are confident in their leading solution and know our practitioners will find instant value in the HIPAA compliance programs they provide.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com or email marketing@abyde.com. About AlignLife Since 1999, it’s been our mission to provide the opportunity for our patients and their families to live a life full of vitality and optimal health. And our focus on health and wellness is not solely to make you healthy, it’s to prepare your body to achieve your life’s goals, whatever they may be. Read the full press release here.
OCR Announces 19th Right of Access Settlement
June 2, 2021 With the official kickoff of summer only a few weeks away, the Office for Civil Rights (OCR) is getting some last minute spring cleaning in – announcing their latest HIPAA settlement with a practice whose Privacy Rule violations couldn’t be swept under the rug. Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) was handed a $5,000 fine and tasked with a two-year corrective action plan (CAP) to help clean up their “HIPAA mess” that started back in 2019. Today’s fine marks the 19th Patient Right of Access settlement since the OCR officially announced their initiative two years ago. And ironically enough – around the same time that the government was declaring their focus on enforcing the standards around patient rights, DELC became a perfect example of just how many practices weren’t upholding them. The incident began in July of 2019 when a parent requested access to her minor child’s health records. After DELC failed to take timely action in response to the request, a complaint was filed with the OCR in early August 2019. It wasn’t until the OCR got involved that the healthcare organization finally provided access, almost two whole years after the initial request. Though the fine amount might seem on the lower end of what the OCR typically doles out, the corrective action plan has plenty of requirements to make up for it and just to name a few: This hefty “honey-do list” shows that the dollar amount doesn’t cover all the costs associated with violating HIPAA and proves why it’s so important to get your practice’s compliance efforts in order before an incident occurs. So while DELC took longer to fulfill the request than it would to dust off every book in the Library of Congress, the OCR hasn’t delayed in performing quite a bit of housekeeping themselves. With 19 settlements and $1,093,500 collected on behalf of patient right of access violations, the OCR has stuck to their initiative and continued to sweep up any and all violators. And though the settlements all range in resolution amount, corrective action requirements, and organization size and specialty – the message has always been the same and was reiterated by Acting OCR Director Robinsue Frohboese in that, “It should not take a federal investigation before a HIPAA covered entity provides a parent with access to their child’s medical records. Covered entities owe it to their patients to provide timely access to medical records.”