January 2025

Top HIPAA Questions
Best Practices, HIPAA

HIPAA Help: Your Top Compliance Questions Answered

January 29, 2025 No comments yet

January 29, 2025 Managing HIPAA compliance for your practice can be challenging. Given the overwhelming number of laws, requirements, and procedures to navigate, you likely have questions about ensuring compliance. Other practices likely have the same questions as yours. Learn more about the most common questions healthcare practices have and how you can ensure compliance. Who Needs to Do HIPAA Training? One of the most important HIPAA requirements is making sure staff members complete training. When facing a HIPAA investigation or audit, the Office for Civil Rights (OCR) will ask for documentation proving your practice has been properly trained. However, many questions might arise around this, including: How often should staff members train? How long should I keep training records? Who in my practice has to complete HIPAA training? First, HIPAA training is required for all staff that have access to Protected Health Information (PHI). PHI includes information like names, Social Security numbers, medical records, and more. Staff with access to sensitive data need to understand the foundation of HIPAA and how thorough data management protects patients. As staff members learn about vital skills such as breach management, compliant patient communication, and handling sensitive information, they become better equipped to manage PHI. Documentation of this training is required for each individual, such as each staff member receiving a completion certificate. This completion certification, or whatever proof that training has been completed, must be saved for at least six years. When being investigated, the OCR can and will ask for multiple years of training proof, so ensure your training program documentation is properly organized. This training needs to be completed at least annually, and it is recommended that new staff be trained as soon as possible before handling PHI. Staff should also be retrained should a breach occur, refreshing staff on proper procedures. What is a Business Associate Agreement? When entrusted with PHI, it is crucial that any third-party vendors working with your practice implement appropriate safeguards to protect sensitive data. This is where a Business Associate Agreement (BAA) comes in. The BAA is a document that holds both parties responsible for the protection of PHI. This document includes what PHI is defined as and how both parties have to uphold its protection. HIPAA requires this document to be signed by any Business Associate (BA) with access to PHI. Some common examples of BAs include shredding companies, billing companies, and more. If your BA doesn’t want to sign this agreement, that’s a bad sign, and it’s recommended that your practice works with another vendor. The OCR also recently proposed strengthened requirements for BAs. This would require businesses work with a cybersecurity expert to prove adequate safeguards for patient data are in place. What Should I Do with Patient Consent Forms? The HIPAA Authorization for Use or Disclosure of Health Information Patient Consent Form must be provided to the patient before you can work with them. Consent forms allow patients to understand and authorize how their health information is shared. This includes granting access to specific individuals. Patients can decline to sign this form and still be treated by the practice, but it must be noted in their records. It is also always best practice to review these consent forms with patients every three years, ensuring that the information is still current. What’s Next? From staff training and business associate agreements to patient consent forms, staying HIPAA compliant requires attention to detail. Smart software solutions with expert teams and simplified compliance can help alleviate this burden and allow you to easily check your compliance status. HIPAA compliance may seem daunting, but by taking these steps and utilizing the right tools, you can protect your practice and your patients. Ready to learn more? Watch our latest webinar, which addresses even more of the top questions healthcare professionals have when it comes to healthcare compliance.

HIPAA Security Rule Updates
HIPAA, Legislation

The HIPAA Security Rule is Changing: Is Your Practice Ready?

January 23, 2025 No comments yet

January 23, 2025 The HIPAA Security Rule went into effect in 2003, and it’s an understatement to say that technology has changed quite a bit since then. The Office for Civil Rights has released proposed updates for the HIPAA Security Rule. After a historic year of breaches, this legislation comprehensively strengthens the current Rule. This is the first update of the legislation in a decade. Many of the new requirements simply reinforce existing recommendations within the Security Rule, which now makes best practices mandatory. This legislation is the result of the significant rise in cyber attacks and the OCR’s continuous noncompliant findings when investigating Covered Entities and Business Associates. Although the proposed rule has not yet been finalized, legislation will likely be enacted within the next year, given bipartisan support for protecting patient data. What is the HIPAA Security Rule? The Security Rule, a critical component of HIPAA, centers on stringent guidelines for managing electronic Protected Health Information (ePHI). These guidelines encompass a wide range of safeguards—including physical, administrative, and technical—all designed to ensure the protection of sensitive patient data. One of the most significant components of the Security Rule is completing a Security Risk Analysis (SRA). The SRA sets a benchmark for your practice and assesses what your practice currently does to protect patient data. This analysis includes safeguards ranging from physical measures, like door alarms, to technical precautions, like properly encrypting files. This analysis is a yearly procedure for the OCR and continues to be emphasized in this proposal. In this new proposal, the OCR strictly defines the SRA as a yearly requirement with more guidelines on specific questions. The OCR has introduced eight implementation specifications for risk analysis. This also includes a thorough analysis of potential natural disasters and the consequences if a Business Associate was breached. In fact, the government has introduced a Risk Analysis Initiative, fining practices and businesses that do not complete this analysis. While this assessment is a major component of this rule, once vulnerabilities are identified, it’s up to your practice to implement these safeguards to protect your patients. What’s Changing? This proposed rule mandates that Covered Entities and their Business Associates implement certain proactive measures that were previously only strongly recommended, such as multi-factor authentication. As technology has greatly advanced since the introduction of this rule, there are also more requirements focused on system management, including required anti-malware protection, disabling unused network ports, and a network map, highlighting what devices are connected to specific networks in an organization. Network segmentation is another advancement of the rule, requiring practices to use different networks based on access to specific information. New policies and procedures will also be required if this proposal goes into effect. For instance, contingency plans will be required, showing what a practice or business plans to do if it is breached within 72 hours. Additionally, practices need to have a transition plan when staff leaves, and they need to notify other regulated entities when a staff member’s access to ePHI is changed or terminated. Business Associates (BAs) will also face stricter requirements when working with Covered Entities. If breached, BAs must notify their Covered Entities within 24 hours. BAs will also now have to have their compliance program certified by a Subject Matter Expert in cybersecurity on a yearly basis, ensuring that the business is taking the right steps to protect patient data. What Can I Do? While this rule is still within its comment period until early March, it could be enacted this year. Being aware of upcoming HIPAA legislation and preparing your practice is vital. Working with a smart compliance solution can take the pressure off, with compliance experts updating their systems to ensure their users will be compliant with new laws. Looking to understand HIPAA compliance for your practice before new laws take effect? Schedule a consultation with one of our experts today.

Abyde 2025 Seminole 100
Abyde News

Abyde Recognized Among the 2025 Seminole 100

January 15, 2025 No comments yet

TALLAHASSEE, Fla. – Abyde, headquartered in Clearwater, FL, has earned a spot on the prestigious 2025 Seminole 100 list, ranking it among the fastest-growing businesses owned or led by Florida State University alumni. The company will be celebrated on Saturday, February 22, at the Donald L. Tucker Civic Center in Tallahassee, Florida, during the 8th annual Seminole 100 Celebration. Each year, FSU honors the accomplishments of its top 100 alumni entrepreneurs through Seminole 100. At this inspiring event held on campus, honorees discover their individual rankings and receive awards, while having the chance to network with fellow business leaders from a wide range of industries. Abyde is a software-as-a-service (SaaS) company that streamlines compliance for healthcare practices of all sizes. With thousands of customers, dozens of successful partnerships, and rapid company growth, Abyde is considered the preeminent brand in the medical compliance industry. Built by health IT professionals, legal experts, and seasoned developers, Abyde has earned its spot as the leader in smart software solutions for HIPAA and OSHA compliance. Abyde has been named on the Seminole 100 list for three consecutive years.  “To be recognized alongside such incredible FSU alumni for the third year in a row is amazing. This is a real testament to the hard work, dedication, and innovation of our awesome team at Abyde. As a proud Seminole, the values instilled during my time at FSU continue to inspire me every day, and I’m incredibly grateful for that foundation as it continues to drive us forward.” reflected Matt DiBlasi (B.A., Social Sciences, ’07), CEO and Co-Founder of Abyde.  “Our 2025 Seminole 100 honorees demonstrate the remarkable achievements of our alumni who are not only leading thriving businesses but also embody the spirit and values of Florida State University,” said Julie Decker, associate vice president of University Advancement, Alumni Engagement and president of the FSU Alumni Association. “These alumni and entrepreneurs inspire us, and it’s an honor to recognize them.”  This year’s honorees represent a diverse array of industries, including energy, technology, law, marketing and retail. Of the 100 businesses recognized, 79 are based in Florida, and 13 states across the country are represented, demonstrating the reach and impact of FSU alumni nationwide. To be eligible for Seminole 100, companies must have been in operation for at least three years, have generated revenue by January 1, 2021, and be owned or led by an FSU graduate for three consecutive years before applying. Nominations for the 2026 Seminole 100 list will open on February 22, 2025. For more information, visit seminole100.fsu.edu.

Business Associate HIPAA Fine
Abyde News, Business Associates, Fines, HIPAA

Choose Your Business Associates Wisely: An $80K Mistake

January 8, 2025 No comments yet

January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data.  For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.