December 28, 2021 Break out your pen and paper because if you haven’t already started your list of new year’s resolutions, the past 12 months have given us plenty of ‘New Year, new me’ examples to take note of. From ratified legislation and appointed government officials to trending cyberthreat tactics (and binge-worthy Netflix series), there have been plenty of ways that 2021 has said, “out with the old, and in with the new”. But while the world around us continues to evolve, the importance of protecting your patients is something that has not and will never falter. So as we wrap up yet another eventful year – let’s take a look at what’s changed, what’s stayed the same and what we can expect to see from HIPAA as we take on 2022. Proposed HIPAA Privacy Rule Modifications 2021’s transformations began even before the new year countdown started with the announcement of proposed HIPAA Privacy Rule modifications made back in December 2020. The government’s proposed modifications help bring the HIPAA Privacy Rule up to current technology standards and address things like removing the barriers to value-based health care, reducing “unnecessary regulatory burdens” and improving the privacy of protected health information (PHI). These highlights only brush the surface of what the 357-page document aims to amend but until the ruling is officially finalized, it’s important for your practice to ensure your HIPAA compliance program is up to date and easy to manageas we should anticipate the new requirements coming into effect in the new year. HIPAA Safe Harbor Law 2021 checked off another one of its resolution list items back in early January by officially signing the HIPAA Safe Harbor Bill into law. The amendment of the HITECH Act takes into account whether healthcare organizations have “recognized cybersecurity practices” in place and allows for some leniency in fines and other enforcement actions in the case of a data breach. While there’s a bit of fine print to follow, the biggest thing for your practice to know is that as long as you have a Security Risk Analysis (SRA), technical safeguards, and other HIPAA Security Rule basics down – you can not only reduce the penalties associated with a data breach but lessen your chances of falling victim in the first place. 21st Century Cures Act Following the Safe Harbor Law’s lead, the 21st Century Cures Act came into effect just a few months later in April of 2021. The new legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is centered around the ongoing balancing act that healthcare providers and app developers face in giving patients easy access to their ePHI while still maintaining data privacy and security. With patients at the focus, the Cures Act requirements enable things like transparency into the cost and outcomes of patient care, easier access to health data through apps that meet modern patient needs and the prevention of information blocking. Now, this law also requires a bit of further reading to see just how it impacts your practice but having a complete HIPAA program lays the foundation for meeting these additional requirements and ultimately protecting patient data. Proposed Budget & New Appointed OCR Director If all the new legislation wasn’t enough of a tell-tale sign that 2021 was the year of protecting patient rights along with healthcare and technology – the proposed 2022 HHS budget that increases its funding for those areas specifically sure is. In early June, the Biden Administration released their proposed budget calling for additional spending to better safeguard the healthcare industry from evolving cyber threats and support government efforts in compliance enforcement. This additional spending comes in the form of over $200 million for several different cybersecurity measures and $67 million in funding for the HHS and their HIPAA enforcement efforts. Much of this proposed budget includes an increase in hiring for these specific government agencies with the hope to add 39 staff members to the Office for Civil Rights (OCR) specifically. But the initiatives don’t just stop at the dollar signs – this past September the HHS officially appointed Lisa J. Pino as the new Director of the OCR, marking another step in the right direction of continuing their mission. HIPAA Waivers Extended In the midst of all the change, there have been some things that have stayed the same – one of them being the extension of the HIPAA Waivers and Enforcement Discretions. At the onset of COVID-19, the government issued a National Public Health Emergency. With it came several waivers and flexibilities that work in mitigating the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to continue caring for their patients. So after several extensions to the waiver’s expiration date, we are starting off our second new year with the Public Health Emergency status with the hopes that the current end date of January 16, 2022 sticks. But even with the current flexibilities still in place, it’s important to adhere to HIPAA requirements for telehealth and PHI disclosure to avoid any violations once the enforcement discretion is lifted. Patient Right of Access Enforcement Now a seasoned veteran to the regulatory priority list, Patient Right of Access violations has had yet another impactful year in HIPAA enforcement. 2021’s Right of Access settlements has brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019. And just a few weeks ago, the OCR announced 5 Right of Access settlements in one day alone. So as the government’s focus on timely medical record access continues to reign, your practice should be adding HIPAA right of access standards to the top of your 2022 to-do list too. Data Breaches Last but certainly not least comes another trend that has shown little to no signs of stopping – data breaches. Between ransomware threats, phishing schemes, accidental disclosures and business associate incidents, 2021 has put up record numbers. And just in the past year alone, a total of 550 covered entities had experienced a data breach putting the PHI of over 40 million individuals at risk. So while maintaining strong cybersecurity within your organization is easier said than done, knowing how to identify a cyber threat and having
Virginia Optometric Association and Abyde partner to deliver HIPAA compliance to independent eye care professionals
December 27, 2021 December 27, 2021 – Tampa, FL – Today, industry-leading HIPAA compliance solution provider Abyde announced their latest partnership with Virginia Optometric Association (VOA), offering a complete user-friendly HIPAA program to VOA’s members. The new partnership with Virginia Optometric Association will provide their eyecare members with the foundation needed to start the new year off compliant and stress-free! Abyde’s software solution and team of HIPAA experts are the perfect complement to an independent provider’s day-to-day operations, simplifying complex government requirements and revolutionizing complete HIPAA compliance. Abyde’s software solution is the easiest way for eye care professionals to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach to HIPAA compliance guides practices through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, dynamically generated policies and more. “Partnering with VOA allows for even more of Virginia’s eye care professionals to have access to Abyde’s simplified solution, helping them meet essential government compliance requirements in the most efficient and cost-effective way,” said Matt DiBlasi, President of Abyde. “We are thrilled to share valuable resources necessary to thrive in today’s environment with Virginia Optometric Association members.” “Our partnership with Abyde gives our members unmatched education, tools and resources necessary to a complete HIPAA compliance program,” said Bo Keeney, VOA Executive Director. “We are confident our VOA members will find that HIPAA compliance can be the easiest part of running their practice with Abyde’s industry-leading solution.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Virginia Optometric Association Virginia Optometric Association (Henrico, VA) is the only state association representing Virginia doctors of Optometry. Our mission is to promote eye health, vision, and the advancement of Virginia Optometry. For more information on Virginia Optometric Association visit thevoa.org. Read full press release here.
NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation
December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following: So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change.
HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders
December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary. While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.
The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance
December 6, 2021 As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology all the while having to ensure that your top priority of patient care never falls behind. But despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. And thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law, providers are rewarded for going the extra mile. You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might even be participating in it already. But whether it’s a Quality Payment Program or new legislation passed into law – the government is continually emphasizing the importance of being proactive rather than reactive and providing incentives for doing so. This is why there’s so much value in knowing what your organization is eligible to participate in (or using government lookup tools like this one if you don’t) and getting yourself on track to ensure that no money is being left on the table. Because many of these different program requirements fall right in line with the standards your practice already has to meet under HIPAA law – protecting your patients, checking off compliance requirements and receiving incentives can often be done all in one stride. So, what exactly is MIPS? To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program and is a system used by the Centers for Medicare and Medicaid Services (CMS) to measure eligible clinician performance and reward high-value, low-cost care. MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories being: Now achieving high scores in each of those categories requires some endurance but luckily, your organization can check several quality and interoperability objectives off just by utilizing a compliant and reputable EHR system. But before you can get to these different performance measures, there’s a prerequisite for even participating in the MIPS Promoting Interoperability performance category which also just happens to be a front-runner for achieving HIPAA compliance and taking advantage of other government incentives like the Safe Harbor Law – the Security Risk Analysis (SRA). The SRA is not only a requirement for MIPS participation but is also the first step in achieving a complete HIPAA compliance program. Conducting an SRA involves assessing any potential risks to your organization’s ePHI and implementing the necessary security updates and safeguards to mitigate whatever vulnerabilities were found. To fulfill MIPS and HIPAA law standards, your organization must complete an SRA annually at minimum and should continually review and update the analysis to address any changes in your technology or practice operations throughout the year. In addition to being a necessary stride towards implementing a complete HIPAA compliance program and enabling your practice to participate in MIPS reimbursements, the SRA is also key in ensuring your patient’s sensitive health information is best protected. As the healthcare industry continues to emerge as a top target for data breaches – having the proper cybersecurity practices in place are essential. The government recognizes these additional hurdles that providers are faced with, and knows the importance of identifying and mitigating security risks within the organization before an incident occurs. This is exactly where the HIPAA Safe Harbor Law that we keep mentioning comes into play. The legislation passed in January of 2021, basically says that organizations can receive reduced HIPAA fines and penalties if they have the proper security measures in place – step number one being (you guessed it) a properly completed SRA. But while it’s one thing to know why your organization should be meeting the requirement, it’s another to actually know what to do to get your practice off the starting blocks – and avoid the many misconceptions that might slow you down. Luckily a solution like Abyde makes conducting a thorough and accurate assessment of your organization a breeze. With dynamically generated questions to cover all the necessary safeguards and ongoing compliance assessments to ensure any identified risks are mitigated – you can feel confident that your organization is covered. Even though throwing in the SRA to your already jam-packed to-do list might seem like adding miles to the track, with Abyde you can score your best time and complete this key requirement in just a few clicks of a mouse and only 20-minutes a month. So while your marathon of responsibilities might go the distance – with the close of 2021 right around the corner, the only way to get your organization across the finish line and meet HIPAA and MIPS requirements is to have a properly completed Security Risk Analysis in place.
OCR Settles 5 HIPAA Right of Access Violations
December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard. Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations. Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.” While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.