Gaurav Modi

Why You Need a Business Associate Agreement
Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Comments Off on When & Why You Need a Business Associate Agreement

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.  Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.  As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:  Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.  A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

HIPAA Whistleblower Exception
Best Practices, HIPAA

What is the HIPAA Whistleblower Exception?

April 8, 2021 Comments Off on What is the HIPAA Whistleblower Exception?

April 8, 2021 Acting out a word or phrase in a game of charades is a perfect party activity but playing a guessing game isn’t as fun when it comes to reporting a work-related incident. Whether you’re taking part in a round of “Guess Who” or just following your practice’s policies and procedures, not everybody will play by the rules – and unfortunately, hackers and those outside your organization with malicious intent aren’t the only ones that pose a potential risk to your patients’ protected health information (PHI). It’s more common than you might think to see the biggest offenders of improper access and disclosure actually come from inside your organization. When and if you uncover an internal incident, knowing how to report the so-called rule-breaker without violating HIPAA yourself can feel like a major game of guesswork.  So what happens if you notice Sally Sue making copies of a patients’ health records for non work-related reasons? Or catch Doctor Dan improperly administering prescriptions to patients? Given how heavily privacy and security protections emphasize proper PHI disclosure, it’s not uncommon to be wary that reporting a HIPAA violation could actually implicate you in a violation yourself. But even if you’re a pro at charades, reporting an incident without giving away the nitty-gritty details to build the case is not easy and certainly not effective. So while HIPAA does establish privacy and security standards that prevent the release of PHI, there is a caveat (if specific criteria is met) for bringing light to malicious activity happening within the practice – a.k.a the HIPAA Whistleblower Exception.  What are the HIPAA whistleblower exception requirements?  Despite the name, ‘whistleblower exception’ has nothing to do with whistles and everything to do with protecting staff and patients from facing any backlash if they report any unlawful conduct within a practice. Under the exception, it is not considered a violation of the HIPAA Privacy Rule if a staff member or business associate discloses PHI, as long as they believe in good faith that either:  The exception is a two-part process and after determining whether the incident meets the requirements for what can be reported, the next move is knowing who you can and can’t actually make the disclosure to. We recommend first going to your HIPAA Compliance Officer (HCO) to help assist you in best handling the situation (as long as they aren’t involved in the incident themselves). But the whistleblower exception also provides additional provisions for whom the disclosure can be made to that include:  While we’d like to hope that everyone within your organization plays fair and square, in the case that you do happen to catch a coworker snooping through patient files – it’s important to know who you can disclose the incident to and that you can include specifics like the patient name and type of health record that was accessed. So if the requirements are met and followed properly, employees can safely report any non-compliant behavior without fearing that a HIPAA violation or termination letter will follow. Wondering whether or not you can take action to protect patients’ privacy and security should never be a guessing game and thanks to the provisions outlined in the HIPAA whistleblower exception, the cards are stacked in your favor.

Partner News

Abyde joins forces with Dental Ops to deliver HIPAA compliance solutions to independent dental practices

April 7, 2021 Comments Off on Abyde joins forces with Dental Ops to deliver HIPAA compliance solutions to independent dental practices

April 7, 2021 April 7, 2021, Tampa, FL – Abyde, offering user-friendly HIPAA compliance software solutions, announced today a new partnership with Dental Ops to deliver industry-leading HIPAA compliance solutions to dental practices and professionals across the nation.  With new legislation such as the recently passed HIPAA Safe Harbor Law and the upcoming 21st Century Cures Act taking effect in early April, it continues to prove challenging for independent practices to keep up with the changing regulatory environment. Abyde’s partnership with Dental Ops will help even more dental practices manage HIPAA compliance programs by providing a simple solution that meets all government requirements.  Abyde’s software solution is the easiest way for any sized medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “We empathize with the challenges providers have trying to meet complex and ever-changing HIPAA requirements. This is especially true today as so many dentists are continuing to feel the effects of COVID-19 coupled with their already heavy workload,” said Matt DiBlasi, President of Abyde. “We are thrilled to team up with Dental Ops to ease the HIPAA compliance burden by implementing our revolutionary software solution for dental practices nationwide.  “Dental Ops is proud to offer our users only the best products and services, and we’re thrilled to partner with an organization dedicated to helping dental providers navigate the complexities of HIPAA compliance,” said Matthew Jarvis, President of Dental Ops. “We know our users will find instant value in the peace of mind and simplicity Abyde offers.”  About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Dental Ops  The Dental Ops team now provides Back-Office administration to Dentists nationwide, reducing in-office expense and headache! From Insurance verifications & claims follow-up, to Risk Management & accounting processes, to HR & payroll. Read the full press release here.

The 21st Century Cures Act
HIPAA, Legislation

Premiering Now | The 21st Century Cures Act

April 2, 2021 Comments Off on Premiering Now | The 21st Century Cures Act

April 2, 2021 Roll back the curtains and cue the drumroll because it’s the moment we’ve all been waiting for… the 21st Century Cures Act is finally making it’s big debut. The newest legislation directed by the  Office of the National Coordinator for Healthcare Technology (ONC) is officially effective on April 5, bringing several advancements to healthcare and technology that are sure to live up to the hype. So if you’re a healthcare provider and you use any sort of healthcare application, we hope you have your popcorn ready because this one’s for you!  So let’s take it from the top – what even is the 21st Century Cures Act? The HITECH Act and more recently the HIPAA Safe Harbor Law have already set the stage, providing legislative requirements that put technology and healthcare in the spotlight. But the Cures Act goes one step further as the sequel to these health IT related laws, outlining how practices and healthcare app developers can overcome the balancing act of giving patients easy access to their electronic protected health information (ePHI) while still maintaining data privacy and security.  Ultimately, patients play the starring role in the Cures Act requirements. Getting the red carpet treatment to access their health records in the ways that they want to receive it – whether that be an app, another EHR, or similar electronic system. Having this ‘patients-first’ focus is at the center of HHS’s work toward a value-based health care system and enables:  How does it impact me?  This star-studded set of legislation features a ton of improvements for healthcare and technology that you definitely don’t want to miss.  So now what?!  Wondering how this new law changes HIPAA requirements? Spoiler alert – it doesn’t. All of those HIPAA requirements surrounding data privacy and security, proper disclosure, and patient record access requests are still featured within the new legislation and should not be forgotten. Having a complete HIPAA compliance program in place is the groundwork for protecting patient data, and underscores what the Cures Act entails.  Now, if recent enforcement efforts haven’t given you enough of a preview, the government is a tough critic for noncompliance. So much so that in the latest round of HIPAA audit results, 94% of covered entities’ compliance efforts were rated as a total flop. So having a complete compliance program that meets all requirements (including the new ones we just covered) is key to keeping your practice out of the limelight of enforcement and avoiding an Oscar-worthy HIPAA fine.    

Right of Access Settlement Announced
Fines, HIPAA

HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Comments Off on HIPAA Enforcement is on a Hot Streak – 18th Right of Access Settlement Just Announced

March 26, 2021 Looks like the Office for Civil Rights (OCR) just decided to play a quick round of 18 – announcing their 18th right of access settlement (and second of the week) with yet another practice who’s HIPAA compliance efforts were well below par.  Village Plastic Surgery (“VPS”) was the latest to tee off against the OCR in a matchup that resulted in a $30,000 fine and two year corrective action plan. And with the 17th right of access settlement announced only two days ago – the tough loss endured by the New Jersey-based provider was just par for the course.  The round began back in September of 2019, after a patient filed an all too familiar complaint to the OCR that the practice had failed to respond to their record request that was made a month prior. Unlike previous settlements where the organization was first provided with technical assistance, all it took was a single patient complaint for the OCR to determine that VPS failed to meet right of access standards – setting the tone that there are no mulligans when it comes to a HIPAA violation.  It’s pretty clear that if you’re not meeting HIPAA requirements, becoming the next opponent on the OCR’s lineup is anyone’s game. But if two fines in one week don’t drive the point home, maybe the latest statement from OCR Director Robinsue Frohboese will be right on target: “OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner, covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.” So, with $5,540,000 collected in HIPAA fines just in 2021 alone and patient right of access being a clear government focus – ensuring that your practice’s compliance program is up to par is the best and only way to steer clear of the next round of OCR enforcement.  

OCR Right of Access Violation Settlement
Fines, HIPAA

OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 Comments Off on OCR Continues to Take Non-Compliance By Storm – Announcing 17th Right Of Access Settlement

March 25, 2021 We are definitely no meteorologists over here but if there’s one pattern that we’ve gotten pretty good at predicting, it’s the government’s focus on HIPAA non-compliance. And with another right of access settlement hitting our inboxes just yesterday – it’s looking like HIPAA enforcement season is in full effect.   Arbour, Inc., d.b.a Arbour Hospital (“Arbour”), was the latest to get caught in the Office for Civil Rights (OCR) storm – but instead of heavy rainfall and thunder, the Massachusetts-based behavioral health provider was hit with a whooping $65,000 fine and corrective action plan. The announcement marks the 17th right of access settlement since the OCR declared their enforcement initiative back in the fall of 2019, proving that whoever said that lightning never strikes the same place twice clearly didn’t know HIPAA.  Arbour first showed up on the OCR’s radar back in July of 2019, after they received a complaint alleging that the practice had failed to respond to a patient’s record request in a timely manner. Despite the OCR providing technical assistance, the practice took a rain check on providing record access and a second patient complaint came rolling in later that month. As a result of the OCR’s investigation, Arbour finally provided the patient with their records more than 5 months after the patient’s initial request – making the perfect storm for a HIPAA violation.  With 17 cases settled and $1,068,500 collected in fines since the right of access initiative began, it’s looking like when it rains, it pours as far as OCR enforcement is concerned. And if the numbers aren’t telling enough, Acting OCR Director Robinsue Frohboese made their storm-warning loud and clear in her latest statement: “Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care.” A key takeaway from the 17 practices’ caught in the government’s flood zone? In more than half of the published settlements, the organization was notified twice by the OCR and provided with technical assistance. And if they had listened to the first warning siren, they could’ve potentially avoided the settlement entirely. Since taking timely action in response to a patient’s records request has shown to be an ongoing issue for covered entities of all specialties and size – with the proposed HIPAA Privacy Rule changes shortening the record response time from 30 days to 15 days, we can foresee dark skies ahead if practices don’t start complying.  So, how do you avoid the hailstorm that comes with an OCR audit? Simply put, ensuring your practice adheres to state and federal Patient Right of Access laws while also having the necessary policies and procedures to back it up is a great place to start. But in order to fully weather the elements of government enforcement, you must meet ALL of the requirements that fall under the HIPAA umbrella and keep your compliance program a priority come rain or shine.

HIPAA vs Online Reviews
Best Practices, HIPAA

HIPAA vs Online Reviews: A Primetime Matchup

March 18, 2021 Comments Off on HIPAA vs Online Reviews: A Primetime Matchup

March 18, 2021 Let’s face it, social media and the internet tend to call the plays when it comes to our decision-making. Whether you’re shopping for a new car or just deciding between tacos or pizza for dinner, seeing a one-star review pop up under your Google search is a total red flag. So, when 95% of patients say that online reviews are reliable and over 70% say that reviews have influence over their choice of physician – being on the receiving end of a bad review can feel like a total cheap shot.  There’s really no such thing as pleasing everyone – and as a practice owner, having to deal with some unhappy patients just kind of comes with the territory. Even all-star’s get the occasional “boo” from the crowd and seeing a patient post “100% would NOT recommend!!” about your practice can be a hard hit to recover from. As much as we all want to come to our own defense, choosing to fight back does a lot more damage than just taking the ‘L’ in the online face-off with a patient. Just take it from the dental practice who was slammed with a $10,000 fine for including sensitive patient information in their response to a Yelp review.  You might be thinking if someone submits a review about my practice aren’t they already admitting that they’re a patient themselves? Though you aren’t totally wrong, HIPAA law is in place to protect patients’ privacy – and a patient submitting a review is NOT authorization for you to go and release their sensitive information when responding. So, while there might not be a winning playbook for how to keep your patients happy, there are some guidelines for how to best handle online reviews: Since there’s no one-size-fits-all response for any and every online review, your practice may receive some feedback that seems a bit out-of-left-field, and knowing how to handle it might be tricky. So to give you some sideline practice, let’s pretend you just received this negative review:  “I had to wait over an hour to be seen and the doctor was rude and rushed through my appointment. Overall it was a terrible experience and I will not be back.”– Negative Nancy A bad response for your practice would be: “We’re sorry you had a bad experience during your appointment, however, our records show that you were late to your appointment which therefore caused a delay in your wait time.” A HIPAA-compliantresponse would be:  “Our practice’s scheduling policy allows for adequate time with the doctor in order to keep our appointments running on time. However, due to emergency situations, it is possible for us to run behind schedule occasionally. We appreciate your feedback and are committed to providing the best patient care; you’re always welcome to contact our office if you would like to discuss further.”  It’s pretty easy to see why response #1 would probably end up on Sportscenter’s Not Top 10 Plays of the Week – but unfortunately, we are seeing more and more real-life examples of practice comments similar to this one. With patient complaint numbers on the rise and proposed regulation updates centered around improving patient rights, the Office for Civil Rights (OCR) has definitely made it clear that they’ll be bringing their “A” game on HIPAA enforcement.  Online reviews (both good and bad) should be handled with extreme care not only to protect your practice’s reputation amongst prospective patients but also to avoid any flags thrown by the OCR. So, while we hope that you won’t have to go head-to-head with a one-star Google review anytime soon, following HIPAA best-practices when and if you do will be the ultimate game-changer.

Maine Medical Association Partnership
Partner News

Abyde joins forces with Maine Medical Association to deliver HIPAA compliance solutions to independent medical practices

March 17, 2021 Comments Off on Abyde joins forces with Maine Medical Association to deliver HIPAA compliance solutions to independent medical practices

March 17, 2021 March 17,  2021, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for independent practices, today announced it has teamed up with Maine Medical Association (MMA) to deliver comprehensive HIPAA compliance solutions and education to MMA members. In light of the continued Office for Civil Rights (OCR) enforcement efforts seen over the recent months in addition to proposed HIPAA changes, there is no better time for practices to ensure they have a complete HIPAA program in place. Abyde’s collaboration with Maine Medical Association showcases efforts to help MMA practices meet this need and will provide MMA members with all the necessary tools and support to manage HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized medical practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “Our collaboration with Maine Medical Association emphasizes the value and peace of mind providers have found with Abyde’s comprehensive solution,” said Matt DiBlasi, President of Abyde. “We understand the difficulty for practices to keep HIPAA compliance a priority especially as regulations are constantly changing, and we couldn’t be more excited to help alleviate the HIPAA-stress from even more independent providers.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. Read the full press release here.

Period for Proposed HIPAA Privacy Rule Modifications
HIPAA, Legislation

Comment Period Extended for Proposed HIPAA Privacy Rule Modifications

March 11, 2021 Comments Off on Comment Period Extended for Proposed HIPAA Privacy Rule Modifications

March 11, 2021 HIPAA law is officially getting with the times thanks to the proposed Privacy Rule modifications that are giving the “prehistoric law” a new modernized look. While the planned updates were officially announced last December, the Department of Health and Human Services (HHS) has just added a 45-day extension on the comment period – giving the public some more time to weigh in on what they want they want the updated legislation to cover.  The original HIPAA Privacy Rule came on the scene in 2003 – you know, like when disposable cameras and listening to Shake Ya Tailfeather by Nelly on your iPod were cool? With as much as technology has changed the world around us, it only makes sense that the laws governing data protection follow suit. Especially since they haven’t changed since being created in the “stone-ages.”  The new proposed changes go hand-in-hand with the evolving needs of patients and providers to address the issues of patient right of access and “unnecessary regulatory burdens.” Each of these have proven to be trending areas of focus in recent OCR enforcement efforts with three out of the four settlements announced in 2021 resulting from right of access complaints. But improving patient rights and boosting care coordination isn’t only in the government’s best interests, “OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” Acting OCR Director Robinsue Frohboese stated in response to the recent announcement. “The 45-day extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.” Now, we know what you’re probably thinking – is there really a high degree of public interest over HIPAA???? While the idea might come as a bit of a surprise – the major spike in patient complaints, data breaches, and government enforcement seen over just the past year have given the law some new-found fame. And since everyone loves a good comeback story, this HIPAA revival has proven that staying up on the latest and greatest in regulation changes is worth keeping on your radar.    So, even though the new extension buys you some more time to comply with the proposed updates – it’s never too early to meet mandatory HIPAA requirements. Unfortunately, the reality is that most practices today would need to perform an excavation, chiseling through mountains of dust, to bring their HIPAA compliance program out of the dark ages. If your compliance program resembles something that hasn’t been touched since Tom ruled MySpace, getting up with the times is not an option and upgrading to an electronic HIPAA solution is the perfect place to start.   Want to put in your ‘two cents’ on the proposed Privacy Rule updates? Just visit the Federal Register to read the official rule proposal and submit your comments!   

Does a ‘HIPAA Compliant’ Seal Make You Compliant?
Best Practices, HIPAA

Does having a ‘HIPAA Compliant’ Seal Make You Compliant?

March 3, 2021 Comments Off on Does having a ‘HIPAA Compliant’ Seal Make You Compliant?

March 3, 2021 Short answer? Nope. Long answer, having a ‘HIPAA compliant’ seal can actually get you in hot water – just ask SkyMed International, Inc., who was hit with a 20-year corrective plan – no, not by the Office for Civil Rights, but by the Federal Trade Commission (FTC).  FTC? What? That’s right, this recent HIPAA related event actually got a business in trouble for displaying a ‘HIPAA Compliant’ seal, when the organization falsely advertised their ‘compliance’…except that they ended up experiencing a massive data breach exposing the sensitive information of over 130,000 individuals and after investigation were found to be anything but HIPAA compliant.   So, when it comes to those ‘seals of compliance’ you’ve probably heard about or seen around, in most cases they don’t mean anything – and could actually wind up getting a practice in trouble for false advertising. There’s no industry certification around HIPAA – trust us, we would be first in line if there was! – and having a certified statement is also a no-go, since there’s no legitimate organization that offers those certifications to back it up.   If you DO have a HIPAA seal or badge of some kind, don’t panic! That doesn’t mean you’re in trouble – depending on what your seal proclaims. Where the FTC raises the red flag is if there’s any statement of ‘compliance’ included. On the flip side, consumers can get peace of mind when they know their healthcare provider has a compliance program (note, program, not statement OF compliance) in place. So if you indicate that you follow HIPAA best practices, carry on! If, however, your website states that you ARE compliant, you may want to double-check your verbiage before the FTC gets involved.  As much as we wish HIPAA could be as simple as just following a checklist once and receiving a nice shiny badge of compliance that your practice’s website could wear proudly, it’s not. HIPAA compliance is an ongoing process and requires constant review and updates for ANY organization, regardless of their size or specialty. So while a compliance seal isn’t an option – maintaining a complete compliance program is (and a required one at that!)

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X