December 3, 2020 Who doesn’t love the whole “new year, new you” excitement but before you press fast forward on the month of December there’s a few key pieces of HIPAA you are probably missing – but can still catch up on before December 31 HIPAA deadlines hit. You may be thinking “I did my Security Risk Analysis, I’m good!” or even “we did training that one time, we’re fine!”. Don’t shoot the messenger, but there’s a LOT of other pieces that go into your HIPAA program besides annual HIPAA training and the Security Risk Analysis. Before you panic, you aren’t alone – on the latest round of OCR audits, they found that only 17% of practices had performed a Security Risk Analysis, and only 6% had a security risk management program (the documentation, policies, and additional HIPAA pieces required) in place. What do I need by December 31? So what do you actually need in place, and how do you get this new checklist completed before the end of the month? First, let’s cover what you need to have at a minimum: 1. Your Security Risk Analysis (SRA) We call this the first step in HIPAA compliance for a reason. The SRA sets the baseline for your practice by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Your SRA must be updated annually, and should be more than a generic checklist – it should cover all the aspects of your practice most at risk, and should provide you with actionable insights to your high, medium and low risk areas. 2. Annual HIPAA Training If your practice has the first requirement down, you may also have HIPAA training somewhere on your radar. Some practices either do training once, instead of annually as required, or fail to document training correctly. You should have a certificate or other record of completion for each staff member, dated within 2020, to meet this requirement. The easiest way to do HIPAA training? Using an automated system lets staff take training individually, without having to shut down your practice or hire an outside trainer for a day. 3. Documented Policies & Procedures This is where practices might start to miss the mark. You may have a few policies, or an older HIPAA manual perhaps, but documentation to the government standards is key to meeting this requirement. That means having updated, current and specific documentation that accurately reflects your practice operations today (instead of an outdated manual from 6 years ago) and touches on all HIPAA requirements – not just one or two areas. 4. Updated HIPAA Logs If you have all of the above (major kudos if you do), having the right logs of all HIPAA related access, assets and possible breaches is still a commonly missed area, and is key to documenting how your practice handled HIPAA incidents in the past year. All of these pieces should be completed on an annual basis, and tie into the many other requirements that go into a complete HIPAA program. How do I do it by the end of the year? If any of the above sound scary or completely left-field to you – don’t panic! Taking one piece at a time, starting with your SRA, will help you chip away at these requirements. Odds are you probably have a piece or two, but may be missing additional aspects of your HIPAA program. There’s a few ways you can tackle these requirements, including: No matter what you do, leaving HIPAA to the last minute may leave you in a bit of a time crunch, and failing to complete these requirements will leave your practice open to hefty fines. Thankfully, there is an easy solution that will check everything off your list with plenty of time left to enjoy the holidays instead of stressing about HIPAA! Schedule a quick consultation with a HIPAA expert and see where you might be missing the mark, and how Abyde could help you breeze through these requirements before December 31.
HIPAA Building Blocks: The Privacy Rule
November 24, 2020 Implementing a complete HIPAA program is kind of like assembling a piece of furniture from IKEA – there’s lots of different pieces and little direction when putting it all together. Even if you’re a master IKEA-assembler, HIPAA is a whole extra level of confusion, and breaking it down into the basics can help make things a little less stressful. The first step in building a complete HIPAA compliance program is to start with the base – the HIPAA Security Rule. Once you have a sturdy foundation made up of all of the proper documentation and required safeguards, it’s onto step number two: otherwise known as the HIPAA Privacy Rule. Many of the nuts and bolts of HIPAA law are built into the HIPAA Privacy Rule, which provides strong privacy protections to safeguard sensitive patient information and ensure patients have proper access to their own medical records. Thanks to the Privacy Rule: Record access and privacy are the basic goals behind the Privacy Rule, but the second piece of the rule includes an extensive list of ongoing compliance requirements, such as: Just like opening up that new box from IKEA, taking on a complete HIPAA compliance program can feel overwhelming. However, Privacy Rule complaints continue to roll in to the Office for Civil Rights (OCR) and patient right of access violations have become an increasing point of OCR focus since 2019 – making compliance with the Privacy Rule a top HIPAA priority. Now unless you’re a DIY enthusiast, you might opt for new furniture that doesn’t come in a 1,000 different pieces. Choosing a pre-assembled option instead saves you time, energy, and headaches – and the same can be said of HIPAA. Choosing a HIPAA compliance software like Abyde lets you fill in a few quick areas to get your program up to speed, instead of having to build each piece from scratch. In less than an hour, and with far less headaches, you can get everything you need to be compliant, and so much more. The best part? There’s no need for an instruction manual – Abyde has real people ready and waiting to help walk you through the process and make sure you aren’t missing any important pieces (like finding that missing screw from step 7 on step 28) along the way.
What You Need to Know About HIPAA Patient Right of Access Laws
November 20, 2020 Wanna know the secret to avoiding patient complaints? Well, until we figure out the trick to making everyone happy (which is next to impossible) we can at least fill you in on the next best thing – how to avoid one of the main causes of patient complaints – improper patient record access. You might be thinking, how can providing patients access to something that’s already theirs be that hard? Yet more than half of practices still fail to comply with patient access laws, opening themselves up to complaints and ultimately HIPAA fines. In fact, the Office for Civil Rights (OCR) just recently announced the 12th settlement in their right of access enforcement initiative, further emphasizing the importance of providing proper access. The Boring Stuff: What is the Right of Access law? The HIPAA Patient Right of Access law was created to provide patients with a level of ownership over their own medical records. This means that patients are able to: What information can be provided to a patient? Does this mean that your practice has to go and round up every single one of Sally Smiths’ records when she asks for it? Not necessarily – when a patient asks for access to their records there is specific information that you are legally expected to provide which is referred to as the “designated record set” and includes: RELATED: Your Patient Requested Access to their Medical Records, Now What? Ok, so…what information shouldn’t be provided? Now before you go and slap a postage stamp (or hit send on that encrypted email) with the entire patient file, there is some information that can be left out of the designated record set. Any information that does not pertain to decisions made about the patient’s health directly does not have to be provided to patients such as: There’s a host of other requirements when providing patient records, and knowing what policies the Right of Access law includes is important to avoiding patient complaints about record requests. Unless you’re a professional people-pleaser, dealing with patient complaints is inevitable – but with HIPAA right of access enforcement continuing to ramp up, it’s an important topic to keep your practice up to speed on.
OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement
November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard. The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year. While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.” Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water. With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!
Maryland Optometric Association and Abyde deliver HIPAA compliance to independent eye care professionals
November 18, 2020 November 18, 2020, Tampa, FL – Industry-leading HIPAA compliance solution provider Abyde announced a new partnership with Maryland Optometric Association (MOA), offering a complete user-friendly HIPAA program to MOA’s members. Together with the Maryland Optometric Association, Abyde will provide MOA members with essential HIPAA compliance programs designed to compliment eye care practices’ day to day operations. The partnership will give MOA members exclusive access to a comprehensive HIPAA compliance solution that helps meet government-mandated HIPAA compliance requirements and safeguard their practices against common HIPAA violations. Abyde’s software solution is the easiest way for independent eye care providers to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides practices through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, dynamically generated policies and more. “Our partnership with Maryland Optometric Association will deliver Abyde’s intuitive solution to more eye care providers while helping them meet serious and essential government compliance requirements in significantly less time,” said Matt DiBlasi, President of Abyde. “We are thrilled to share valuable resources necessary to thrive in today’s environment with even more of Maryland’s eye care professionals.” “Abyde is an industry leader in HIPAA compliance, and we are confident their leading solution and user-friendly software will provide exceptional value to our members,” said Maryland Optometric Association Executive Director Jennifer Cohen, “This partnership will help our independent eye care providers meet important HIPAA requirements in a simple and stress-free way.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About Maryland Optometric Association The Maryland Optometric Association is committed to advancing and empowering optometry in the state of Maryland. We work collectively to increase our scope of practice. We are committed to providing excellent and cost-effective educational tools and resources to all our members. We connect optometrists with one another and their communities to strengthen our overall mission. Read the full press release here.
HIPAA Building Blocks: The Security Rule
November 12, 2020 Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule. Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information. Administrative Safeguards Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover: Physical Safeguards Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include: Technical Safeguards It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover: These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data. So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant.
Abyde Partners with the Echo Group to Expand HIPAA Compliance Among Behavioral Health Providers
November 12, 2020 November 12, 2020, Tampa, FL – Abyde has announced a new partnership with The Echo Group, an EHR and billing platform for behavioral health practices, delivering Abyde’s Industry leading HIPAA compliance software solution to The Echo Group’s users. This partnership expands Abyde’s solution further into the behavioral health industry, continuing to revolutionize HIPAA compliance and serve as a premier educational resource to mental and behavioral health providers. The Echo Group’s users will now have access to the necessary tools and support to implement a complete HIPAA compliance program, especially important as annual deadlines for HIPAA compliance requirements approach. Abyde’s software solution is the easiest way for any sized behavioral health practice to implement and sustain comprehensive HIPAA compliance programs. The revolutionary approach to HIPAA compliance guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies and more. “We know that HIPAA compliance is a common gap among providers, and we’re thrilled to continue expanding across industries. This partnership will help more behavioral health practices alleviate the stressors of trying to comply with complex HIPAA requirements,” said Matt DiBlasi, President of Abyde. “HIPAA compliance is essential for any practice’s success, especially now, and we are honored to be a part of The Echo Groups offerings.” “When we saw Abyde’s solution, we knew our users would benefit from industry-leading resources and simplicity Abyde provides. We are always focused on the ever-changing needs of our users, and we know that joining forces with Abyde will streamline HIPAA requirements they may be struggling to meet,” said Allan Normandin, CEO of The Echo Group, “We are excited to work together to provide comprehensive tools to both implement and maintain a complete HIPAA compliance program.” About Abyde Abyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About The Echo Group The Echo Group, privately held since 1980, revolutionized electronic health records in the behavioral health industry with EchoVantage, the only EHR featuring a visual continuum of care timeline. EchoVantage is a core, integrated EHR platform with a complete suite of tools designed to conform to your workflow, meet compliance requirements, and increase productivity, enabling you to spend more time putting your clients. The Echo Group is located in Conway, New Hampshire, with an additional office in California. Echo has more than 80 employees dedicated to making the best behavioral health technology in the industry. Read the full press release here.
OCR Announces the 11th HIPAA Right of Access Settlement
November 12, 2020 The last few months have shown that it’s not a matter of when the next Office for Civil Rights (OCR) HIPAA fine will drop, it’s how much the fine will be for. It’s sort of become a race at the Abyde office to share the news first when the OCR’s next press release hits our inboxes (seriously – this blog’s authors are winning in case you were concerned). Today’s entry into our fine-marathon is yet another patient right of access violation – bringing total access settlements to 11 and 2020’s fine count to $13,226,500. The latest right of access violator is Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology (a specialty focused on the ears, nose, and throat, if you aren’t a medical specialties trivia whiz) out of New York. The settlement comes as a result of a patient complaint regarding a violation of the Privacy Rule’s right of access standard and left Dr. Bhayani with a $15,000 bill and a two-year corrective action plan to boot. Back in September 2018, the OCR received a complaint that Dr. Bhayani failed to respond to a patient’s request for medical records made in July of that year. The OCR responded by providing the doctor with technical assistance on the issue, and it was case-closed (or so they thought). Half a year later, complaint number two came rolling in, noting that even in July of 2019 the patient still hadn’t received their requested records. Only after further OCR investigation were the records finally provided in September of 2020 – two whole years after the initial complaint. The OCR is certainly taking this right of access fine-marathon seriously, sprinting to the end of 2020 with 9 right of access related fines since September. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion,” stated OCR Director, Roger Severino, “we will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.” The best way to tell the OCR ‘message received’? Get your HIPAA program in order NOW, particularly all the pieces that go into patient right of access – HIPAA authorization forms, the right access policies and timeframes, staff training, and more. OCR Director Severino said it best – it doesn’t matter if your practice has 3 employees and sees only a handful of patients, dealing correctly with HIPAA requirements is essential to avoiding $$$ in fines and the scrutiny of the OCR.
OCR Announces the 10th HIPAA Right of Access Settlement
November 6, 2020 The Office for Civil Rights (OCR) wasn’t kidding when they emphasized HIPAA Right of Access enforcement last year – if you STILL don’t believe the many (so, so many) blog articles we’ve written on previous fines, maybe today’s 10th fine announcement will do the trick. Patient right of access has been a trending topic (waiting for the hashtag to trend any day now) over the past few months, and the latest settlement is just another reminder of what your practice needs to watch for. Today’s fine goes to Riverside Psychiatric Medical Group (RPMG), out of Riverside, California who agreed to a $25,000 payout and two-year corrective action plan to settle a violation of the Privacy Rule’s patient right of access standard. The latest settlement comes as a result of a patient complaint received just last year, in March of 2019. The complaint claimed that RPMG failed to provide access to requested medical records – even after multiple requests, OCR technical assistance after the first complaint, and a second complaint a month later. In this particular case, unlike other patient right of access fines levied thus far, RPMG claimed they didn’t provide access because the requested records included psychotherapy notes. Psychotherapy notes include documentation of private counseling sessions, separate from regular medical records, and are able to be withheld under HIPAA law because of the nature of the records. So was the practice actually in the wrong? While psychotherapy notes CAN be withheld, HIPAA still requires: Since RPMG failed to do either, they found themselves with $25,000 less in their pockets and two whole years of administrative paperwork to be completed. Even if your practice doesn’t deal with mental or behavioral health services, RPMG’s case includes some important lessons for all types of providers. When records can’t be provided (for legitimate reasons only people) a written explanation and a copy of the records can and should be provided to the patient. No one likes to be left hanging, said best by OCR Director, Roger Severino himself: “When patients request copies of their health records, they must be given a timely response, not a run-around.” Avoid being an enforcement victim by reviewing what your practice has in place now, and what is required when a patient requests their records. Make sure you have a designated method for patients to request records and fulfill their requests within the right time frame – within 30 days at the federal level, though it varies by state. And just in case you’re keeping score (just us?) this fine brings 2020’s running total to $13,211,500.
Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank
November 5, 2020 If you aren’t already aware of how much goes into a complete HIPAA compliance program, we’ll give you a hint – it’s a lot. How much is a lot? Estimates are that it takes the average practice (on their own) 80+ hours per year. So who do you thank for all those hours, headaches and (probably) tears? Your friendly neighborhood HIPAA Compliance Officer. A HIPAA Compliance Officer, or HCO, is essentially responsible for ensuring your practice meets requirements outlined in HIPAA law – which is as complicated as it can get. Their role is pretty crucial to avoiding a HIPAA violation (not to mention required under HIPAA) and involves quite a list of tasks for the lucky winner of the HCO title. HCO responsibilities include: If you are a smaller practice, your practice administrator or office manager might serve as your HCO (on top of all their existing responsibilities – seriously, they must have superpowers), or if a larger organization, you may be lucky enough to have a separate compliance staff member. Regardless of how your practice operates, the HCO deserves a major round of applause for all they do to keep your practice – and patients – safe, secure and compliant. Every great hero has a side-kick, and for your HCO a HIPAA compliance software solution is just that. Rather than manually updating each policy, creating training materials, conducting ongoing risk analyses, AND keeping up with changing HIPAA regulations, a software solution like Abyde does it all with just a few clicks – and with a lot less time and stress involved. Whether you have a software side-kick or not, making sure you have all the right pieces of the HIPAA puzzle is a crucial role for your HCO to fill. Don’t have an HCO? Or have someone that was responsible that one time, but never actually had the opportunity to get started on HIPAA? First, figure out where your program is at by reviewing what you may be missing, then assign an HCO and get them some help to manage their new HIPAA responsibilities.