December 31, 2022 As we wrap up this year, we want to take a look back at our biggest wins. Of those, the ones that stand out most to us aren’t defined by dollar signs or broken records – although, we have seen some pretty impressive performance throughout 2022. When we look at all we have accomplished over the last twelve months, we are most proud of the impact we have made in our community and for our people. Now as AJR says, can we skip to the good part? There is so much to be proud of this year, as you can see. We are set up to carry this same energy into 2023! As the New Year rolls around, we wish you all nothing but peace and prosperity.
NEW YEAR’S RESOLUTION: BE COMPLIANT
December 22, 2022 The end of the year is right around the corner and while you’re enjoying the festivities with friends and family (we love a good holiday tradition!), you might already be thinking about New Year’s resolutions. And if you are, props to you for not being a procrastinator. We bet your goals for the year may include eating healthier and learning a new skill, but what about getting compliant? Ensuring your organization is HIPAA and OSHA compliant should be a top priority for every practice – and it’s an easy goal to check off your list! Here are some quick tips to help you start the new year off on the right foot: Complete your annual Security Risk Analysis and Facility Risk Assessment This should be your top priority as it is the first piece of documentation you will be asked for in the case of a HIPAA audit or OSHA investigation. The SRA sets a baseline for your organization by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Much like the SRA, the FRA is an assessment of your facility’s environment that will help to identify, minimize, and eliminate hazards in the workplace. Keep in mind that both the SRA and FRA must be documented and must be more than a generic checklist. They should provide you with actionable information and insights into all risks and hazards within your organization. Complete annual HIPAA and OSHA training All staff members including doctors and part-time employees must complete annual training. A best practice is to conduct training in a modular type format with a quiz at the end so you have documentation to prove that training has been completed. When it comes to OSHA training, each facility is different so you must incorporate site-specific training in order to address any site-specific hazards. Update all Policies, Procedures, Programs, and Forms This is a big one! Without proper documentation that accurately reflects all procedures within your organization, you are not considered to be compliant! If you have been using some templates you found online or have a dusty manual sitting on a shelf, this is your sign to trash it and update your policies to be practice-specific. Don’t forget to implement a plan to routinely review all policies with staff members so they are up-to-date with the latest information as well. Get signed Business Associate Agreements In order to be HIPAA compliant, run an inventory list of all vendors you work with that have access to Protected Health Information (PHI). Some examples would include your IT vendor, EHR/PM system, and encryption provider. Once you have gathered all vendor information, double-check that you have a signed Business Associate Agreement with them. If you do, great! If not, be sure to reach out to them right away. If you don’t have a BAA in place with every vendor then you run the risk of getting slapped with your own HIPAA fine if a breach occurs. Update your Safety Data Sheets When it comes to OSHA compliance, Safety Data Sheets are essential for tracking and managing any hazardous chemicals in the workplace. Make sure you have a Safety Data Sheet for any chemical which is known to be present in the workplace, in such a manner that employees may be exposed to it under normal conditions of use or in a foreseeable emergency. The big takeaway here – these MUST be readily accessible to all employees. If you do not have a safety data sheet for a particular chemical, you should contact the manufacturer to obtain one. And that’s it! If you follow these steps, there’s no doubt you will be in great shape when it comes to compliance. Still have questions or need help implementing a compliance program for your practice? Contact the experts (hey, that’s us!) at 800.594.0883 for all of your compliance goal-setting needs! While we might not be giving up Chick-fil-a, enrolling in a new gym, or even improving our culinary skills, our resolution always remains the same – make compliance the easiest part of running your practice.
A costly race against the clock
December 16, 2022 On Thursday, the HHS Office for Civil Rights announced a settlement with a Florida primary care practice over a violation of the HIPAA Privacy Rule’s right of access provision. This marks the 42nd case under the Right of Access Initiative to date and the second settlement this week. All the way back in mid-2019, a daughter, serving as personal representative, was attempting to retrieve her deceased father’s records. After multiple attempts, the practice failed to provide timely access. HIPAA’s right of access standard requires a covered entity to take action on an access request within 30 days of receipt. The practice exceeded that allotted time; the daughter received all requested records nearly five months after the initial request. OCR Director, Melanie Fontes Rainer, stated, “The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously.” The FL primary care practice has since paid its $20,000 fine to the OCR and is working to implement a Corrective Action Plan. The plan will be closely monitored over the next two years and includes updating, distributing, and training on all applicable policies and procedures. In the age of immediacy, there is no exception when it comes to patient record requests. When a patient requests access to their records, prioritize their request. You have 30 days to take action or you could face not only an OCR investigation but a big fine – one we bet is not worth rearranging your priorities to put the patient first.
Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan
December 16, 2022 On Wednesday, the HHS Office for Civil Rights announced a settlement with a California dental practice over impermissible disclosure of patient-protected health information (PHI). The practice faces potential violations of the HIPAA Privacy Rule by inappropriate use of social media to respond to patient reviews and disclosing protected health information. OCR Director, Melanie Fontes Rainer, stated, “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.” The practice faces a lofty fine of $23,000 and a Corrective Action Plan that will be monitored by the OCR for the next two years. Within the CAP, the practice is responsible for updating and maintaining all policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information. Additionally, all members of the staff must receive training within 30 days of the updated policies and procedures to comply with the Privacy Rule within 30 calendar days of the implementation of the policies and procedures. This is the second offense for the same office in the last 5 years. In November 2017, the OCR received a complaint regarding impermissibly disclosed PHI in online review responses. The protected health information included patient names, treatment, and insurance information. Through the investigation, the OCR found other violations including failure to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures. As a word of advice from your HIPAA and compliance experts, review all PHI and Privacy Rule policies and procedures with any members of your staff that handle online reviews and social media responses. And while you’re at it, for those of you who may use a third party to handle reputation management, check those Business Associate Agreements, and remind them of our best practices.
Toothpaste, Baseball, and ePHI
December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.” Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk. Let’s head around the bases to make sure you’re covering your bases. Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI. And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures. A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated. As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”