August 27, 2021 It’s understandable for healthcare organizations to sometimes feel drowned by responsibilities. In addition to the ongoing balance of patient care and running a business that you’re already tasked with, having to add compliance into the mix can make for some especially muddy waters to tread. However, the compliance struggle is more than just having yet another thing added to your list. It is all of the complexity and confusion that surrounds it. And since the word “compliance” consists of many different legal, ethical and professional standards – it’s not always easy to decipher which items are a must-have to keep your practice afloat. So when it comes to the responsibilities of your practice, though providing quality healthcare and protecting your patients is always a must, not all organizations have to follow the same requirements. Because of this, one question in particular that seems to leave practices scratching their head is, “Are we responsible for providing fraud, waste, and abuse training to employees?” What is fraud, waste and abuse training? If you are familiar with fraud, waste and abuse (FWA) you most likely understand the impact it has on the healthcare industry and why it’s so important to prevent. All employees within a healthcare organization should know what FWA is and how to avoid it, the same as they should know what HIPAA is and how to protect patient health information. However, while annual HIPAA training is a legal requirement with specific stipulations for compliance – the rules are a bit different when it comes to the education for FWA. Previously, the Centers for Medicare and Medicaid Services (CMS) required both Medicare Part C (Medicare Advantage) and Part D (Prescription Drug Coverage) plans along with all participating healthcare organizations to meet the annual fraud, waste and abuse training requirement. Training was to be provided to all employees within the first 90-days of onboarding and on an annual basis thereafter. The goal being to clearly identify what fraud, waste and abuse is and ensure all health plan providers and their “downstream, related entities” (a.k.a. healthcare organizations like you) have the know-how to properly detect, correct, report and ultimately prevent instances of FWA. Now if you’re already meeting HIPAA training requirements (fingers-crossed that you are) the stipulations for FWA training probably seem straightforward enough. However in typical government fashion, with legislation comes continual changes and as of January 1, 2019, the CMS officially updated the standard to only apply to Medicare service providers – not Medicaid – based on the feedback they received regarding the burden of the requirement. But before all the non-Medicare providers who are currently reading go to click the “x” at the top of this page, there are other specific insurance plans that may require their covered entity providers to complete some type of healthcare fraud training. One thing to keep in mind is even if your organization doesn’t fall into these parameters, providing FWA education for all employees is certainly beneficial. So in getting back to that commonly asked question – the requirements for offering fraud, waste and abuse training really just depend on the healthcare plan that your organization provides. Luckily, finding answers can be a simple process as most plans provide their specific standards for not only training but general FWA compliance online. Additionally, there is the CMS’s online resource that’s free to the public. In summary, including fraud, waste and abuse education as a part of your staff compliance training doesn’t have to be complicated. And with the costly impact that FWA and noncompliance can have on your organization, providing this training (even if you aren’t required) can make all the difference in keeping your practice’s head above water and avoiding a violation or fine that could otherwise put you under.
Abyde partners with VDA Services to provide comprehensive HIPAA compliance solutions to Virginia dental practices
August 18, 2021 August 18, 2021, Tampa, FL – Today, Abyde announced their latest partnership with VDA Services that will help deliver their user-friendly HIPAA compliance software solution to even more of Virginia’s dental professionals. This collaboration will provide VDA members with all of the tools and support necessary to achieve a complete HIPAA compliance program with little time and effort required. Abyde’s partnership with VDA Services showcases their continued mission to revolutionize HIPAA compliance by providing a simple and intuitive solution that fits perfectly with dental providers’ day-to-day operations. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Our partnership with VDA Services emphasizes our joint commitment in protecting dental practices from the continued rise in cyber threats and patient complaints seen within the healthcare industry over recent months,” said Matt DiBlasi, President of Abyde. “We are thrilled to be a part of the VDA’s proactive approach in helping their members avoid hefty HIPAA penalties as well as assist in safeguarding their patients’ sensitive information through a simplified compliance program.” “The Virginia Dental Association strives to empower the dental community through innovation and our collaboration with Abyde falls perfectly in line with that vision,” said VDA President Dr. Frank Iuorno, Jr. “We’re confident that our members will find Abyde’s solution and team to be the total-package in alleviating their HIPAA stress.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About VDA Services VDA Services (Richmond, VA) is a subsidiary of the Virginia Dental Association. The Virginia Dental Association is a professional membership organization with 4,000 members across the Commonwealth. The VDA’s mission is to represent and serve member dentists by fostering quality oral health care and education. The VDA provides continuing education, advocacy and practice support for its member dentists to further that mission. Read the full press release here.
The Security Risk Analysis and its Many Misconceptions
August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail. Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts. Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files. Myth #3: My IT company handles a full SRA. False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements. Myth #4: I can use a templated checklist to complete my SRA. False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist. Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization. While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!
Fraud, Waste, and Abuse in Healthcare
August 6, 2021 Fraud, waste, and abuse are three little words that have impacted the rising cost of healthcare in a way that’s anything but little. Now, most are probably aware that U.S. health expenditures are growing at a rapid rate, and have been for many years. And while there are many reasons that resulted in the healthcare industry closing out 2020 with a whopping $3.8 trillion tab – ‘fraud’ is a five-letter word that can account for about $60 billion of it. So with an issue this common and costly, how can patients and providers help to stop it? What is it? Now, you’ve probably heard of fraud, waste, and abuse before and can associate each of them with nothing but bad news but what exactly do they mean to healthcare specifically? Who can commit fraud? The answer to this question is pretty much anyone. This includes doctors, patients, billing services…you name it. That being said, as a healthcare provider – it’s your job to not only ensure that you aren’t partaking in any fraudulent activities but are also on the lookout for your staff, patients, and billing providers. How do I prevent it? As a provider, it’s important to develop appropriate prevention policies for your organization that outline best practices for avoiding and detecting healthcare fraud, waste, and abuse. According to the HHS Office of the Inspector General, this program should “establish a culture within an organization that promotes prevention, detection, and resolution of instances of conduct that do not conform to Federal and State law, and Federal, State and private payer healthcare program requirements, as well as the organizations’ ethical and business policies,” and include some of the following components: In helping to reduce and ultimately prevent fraud and abuse, it’s important for your organization to not only have the proper compliance programs in place but also take additional measures such as: With billions of dollars lost each year to health care fraud in the U.S., and the costly impact an investigation could have on your organization’s reputation and revenue – it’s important to have the processes in place to detect and prevent fraud and abuse. Ensuring that your practice is meeting all areas of healthcare compliance, including a complete HIPAA program, is essential to keeping up with government standards and best protecting your patients. So while the rising cost of healthcare might not be totally avoidable, having the right compliance programs in place mean that the expense of a HIPAA or fraud violation can be. And with the penalties ranging from fines of hundreds of thousands of dollars and some even resulting in jail time – proactively preventing incidents before they happen and ensuring complete compliance is priceless.