November 19, 2024 Did you know that the average cost of a healthcare data breach is $9.77 million? When HIPAA investigations can lead to millions of dollars in expenses for rebuilding IT systems, legal fees, fines, and other costs, it’s easy to overlook the non-monetary consequences of an investigation in which you are found liable. When a practice is found liable, it indicates that it failed to demonstrate that it took the necessary precautions to prevent a breach. This could include not adhering to proper procedures, such as promptly providing a patient’s healthcare records to the Office for Civil Rights (OCR) or a State Attorney General. This liability can significantly impact your practice’s reputation. The investigation can take months and make your practice subject to scrutiny. Reputation: A Cost To Your Business When your practice is found liable for a HIPAA violation, it can unfortunately haunt your practice. Once a HIPAA fine is announced, it is posted on the HHS website and reported by numerous compliance news sources. This news release can become a notorious stain on your practice’s reputation, as it is one of the first websites to appear when your practice is searched. This can directly impact your organization’s success. In the digital age, over 75% of all patients search for a new provider online, and this fine will likely be one of the first things they see. Time: The Unease of Waiting Waiting for a response from the OCR or the state during an investigation can be overwhelming and stressful. HIPAA investigations often take several months and require hundreds of pages of documentation, and waiting for a response is an additional non-monetary cost associated with them. In some cases, the fines related to HIPAA violations can take years to finalize. For example, a recent HIPAA fine imposed in 2024 resulted from a breach in 2017. This illustrates that investigating such breaches can take years before any resolution is reached. Even after a fine is levied, time is spent trying to recover and restore one’s reputation, which is just as challenging to manage. Scrutiny: Monitored by the Government Many HIPAA fines include a Corrective Action Plan (CAP) or a set of requirements and years of monitoring before a practice officially completes its payment for a fine. A CAP keeps your healthcare practice under government scrutiny for an extended period. This means that government authorities will closely monitor your practice’s operations, data security measures, and compliance with HIPAA regulations. This nonmonetary cost is another frustrating burden for practice, as it is subject to scrutiny and oversight by authorities. Protecting Your Practice Don’t let a mistake become a detriment to the success of your practice. Ideally, once a HIPAA fine is paid, the practice can return to normal. Unfortunately, the nonmonetary costs of an audit can continue to detriment a practice’s success. That’s why it’s vital to put precautions in place before a significant breach can occur, and if it still occurs, the right documentation is in place to defend your practice. Utilizing a smart software solution for compliance can prepare your practice for a HIPAA investigation. Watch our webinar, featuring compliance experts with a 100% pass rate, to learn more about the audit process and its necessary steps.
HIPAA Audits are Back: 86% of Practices Miss This Crucial Requirement (And How to Fix It)
May 29, 2024 The random HIPAA audits are officially back. Melanie Fontes Rainer, Director of the Office for Civil Rights (OCR), confirmed in a recent interview that the OCR is proactively conducting audits as part of a series of improvements. Following a five-year hiatus from proactive audits, the Office for Civil Rights (OCR) has been updating key HIPAA regulations. For instance, the OCR is also releasing an updated Security Rule by the end of the year to better reflect innovation since its original publication over twenty years ago. As the OCR continues to advance HIPAA rules, it’s vital to be prepared with a foundation of a compliant practice. At the base of this foundation is the Security Risk Analysis (SRA), a commonly missing HIPAA requirement. During the last round of proactive audits, 86% of Covered Entities could not show a properly documented SRA for their practice. What is a Security Risk Analysis (SRA)? The OCR defines an SRA as “an accurate and thorough assessment of potential risks and vulnerabilities to confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).” The SRA is focused on protecting ePHI. It is a continuous requirement and needs to be updated when significant changes occur to your practice. It’s best practice to complete the SRA at least annually. An SRA is a complete evaluation of how PHI is protected. Questions include encryption practices, staff training, disposal of PHI, and more. Why is the SRA Important? The SRA documents proof that a practice has appropriate safeguards to protect sensitive patient data. It requires practices to conduct self-audits and identify risks and vulnerabilities before they become issues. This means anticipating vulnerabilities and implementing preventative measures before sensitive data is compromised. If followed correctly, the SRA acts as a vital line of defense, helping prevent data breaches, ensuring patient privacy, and building trust within the healthcare system. How do I complete an SRA? Completing an SRA is crucial for protecting sensitive patient data. The good news is that several approaches are available, each with varying costs and timelines. Before starting an SRA, it is essential to have an HCO, or HIPAA Compliance Officer, in place to manage HIPAA documentation and the SRA process. You can complete the SRA internally using online resources provided by the OCR. While there are free resources, this option is less intuitive than others, can be time-intensive, and requires significant team effort. Manual audits can take weeks to months to complete. You could also hire an external auditor or consultant to complete your SRA. Hiring a consultant might reduce the burden on your team but can be costly. The average price of an external auditor is in the thousands, with some costing upwards of $20,000. Additionally, these external audits can take months. An alternative option is intelligent compliance software, which provides significant benefits for meeting the SRA requirement and more. It allows you and your practice to navigate the SRA cost-effectively and efficiently. While a manual audit usually takes weeks to months, an audit assisted by software can be completed in significantly less time, simplifying the SRA process, and saving your practice substantial costs and assuring protection. Why Should I Use Compliance Software? As the Security Rule is updated, your compliance program also deserves an upgrade. Intelligent software solutions can help you easily fulfill complex HIPAA requirements, prepare for potential risks and vulnerabilities, and protect patient data. Many organizations overlook the SRA, but software solutions can streamline the process and protect your practice. To learn more about Abyde’s innovative software solutions, schedule an educational consultation.
Change Healthcare Breach: What We Know Now
March 14, 2024 BREAKING NEWS! Your friends at Abyde are right back at you with an update on the Change Healthcare breach. Check out our first blog post on the breach here! Now, to quickly bring you up to speed, Change Healthcare, a division of United Healthcare, was impacted by a ransomware attack. This ransomware attack is like nothing we’ve ever seen, and being called the most significant attack on our healthcare system of all time. This ransomware attack was disastrous, taking Change Healthcare systems offline, and making it impossible for healthcare providers to check for insurance eligibility, see new patients, properly process prescriptions correctly, and much more. Now, it’s been several weeks since the initial attack, and we have the latest scoop for you. What’s going on now? Well, now here comes the fallout. While some of the systems have been able to get back online, like pharmacy functions, Change Healthcare is still not 100%. This has been detrimental to healthcare providers, and is costing them $100 million a day! Now, I know that’s gotta hurt. Now, the lawsuits are starting to roll in. Now, multiple class action lawsuits have been filed against Change Healthcare/United Healthcare due to its inadequate security systems and how it’s been handled. Unfortunately, in this attack, it’s highly likely Protected Health Information (PHI) is in the hands of criminals. In this ransomware attack, over six TB of stolen data was encrypted by the deceptive hackers. So, these lawsuits are just getting started. The government is also involved in this breach, investigating the causes and effects of the ransomware attack. The FBI has run into this group of hackers before and has taken some of their servers offline, causing many to think this attack was of vengeance. The Department of Health and Human Services also came together to discuss and address the impact of the cyber attack for more to come. As of yesterday, March 13, the Office of Civil Rights also released a statement of beginning their investigation of the attack. It’s safe to say this is far from over, and it’s been a tough month for United Healthcare. What should I do? To keep up with the news, we recommend you follow our news page, where we release the newest updates in compliance news and the best tips for your practice or business. To keep up with the Change Healthcare system updates, you can follow this page here. To keep your practice or business safe, and avoid this hot water that United Healthcare found itself in, it is essential for you to proactively protect your organization. This includes working with an IT company, employing firewalls, encryption, and of course, having compliance software like Abyde. Abyde is your one-stop shop when it comes to compliance management, allowing you to evaluate your risks and address them before it’s too late. Need documentation in order? Yeah, all in the software. Oh and – let me stop you right there, yes, we also dynamically generate our personalized policies and procedures, so don’t worry about writing them. And if you experience a breach? We’re here for you. We have an awesome team of compliance experts here to help you navigate any situation, so you’re not alone. Want to learn more about compliance? Reach out to us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates!
Leap into Action: Important Data Breach Reporting Deadline Approaches
February 26, 2024 Happy Leap Year! Now, let’s celebrate the once-in-every-four-years event with the most exhilarating and entertaining activity: notifying the OCR of small breaches your practice faced in 2023. Alright, I’m kidding I’m kidding, while reporting these breaches might not be the most exciting activity, it is very important to notify the OCR of these breaches to ensure proper procedure was followed when things didn’t go as planned. This notification to the OCR is due 60 days after the end of the following year, according to the Breach Notification Rule. So, for 2024, it will be February 29th or Leap Day. So, what is a small breach? You might be asking, what constitutes a small breach? Thankfully, the OCR has specified this for us, and it’s any breach that affects 500 or fewer patients. Anything more than this requires faster reporting, needing to notify the OCR of the breach within 60 days of the discovery of the breach. While smaller breaches don’t need to be reported to the OCR as quickly, patients must be aware of their data being affected in a breach, and patients must be notified within 60 days of the practice finding the breach, or even sooner depending on the state. So, how do I report my small breaches to the OCR? Another great question! Once again, the OCR has a reporting system in place online here. Each small breach has to be reported separately through the website. Abyde makes breach reporting easy, with our HIPAA breach logs, which will allow you to log when you experience a breach in your software. After filling out the breach log, we have a Breach Risk Assessment for you to take, and will then generate a report with all the information you need for the OCR breach report. If you want some help filling out the breach report, you can turn to us, your compliance crew. For Abyde users, call us at 1-800-594-0883 or hit the Help! Alarm button under the gear icon in your Abyde software. We’ll get connected with you immediately and help you navigate the breach. Then, just make sure you notify the OCR by the due date for those smaller breaches! So, what else do I need to do? I’m glad that you’re still interested! Having assigned roles when breaches occur. The reporting of breaches usually falls under the HIPAA Compliance Officer’s list of responsibilities. Having a designated HIPAA Compliance Officer, and in general, having assigned roles in order when a breach or disaster occurs ensures accountability. So, what now? Make sure that you have all of your small breaches reported to the OCR by February 29th, 2024. Abyde is here to make this process easy with our easy-to-use software. To learn more about how Abyde simplifies compliance, reach out to info@abyde.com or schedule a demo here.
Don’t Get Caught Off Guard: HIPAA Audits are Back!
February 23, 2024 They’re Baaaaaack! And in this case, not the poltergeists in the 80s classic, but the Office For Civil Rights (OCR). The OCR shared some significant news, announcing their plans to reintroduce their random HIPAA audits program. The last time this program was in place was in 2016 – 2017, with over 200 Covered Entities and Business Associates audited to ensure HIPAA compliance. Before this program is officially implemented again, the OCR is surveying past audit participants, and hearing their feedback before random audits begin. However, Director of the OCR, Melanie Fontes Rainer, confirmed the audits would resume this year, “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.” The audits revealed eye-opening shortcomings of CEs and BAs, with Paul Hales of Hales Group describing that “86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit”. Thankfully, this news doesn’t have to be like a horror movie if you’re proactive and take compliance seriously. What does this mean for you? While random HIPAA audits might seem very nerve-wracking for your practice or organization, with the proper tools, you can be easily prepared. These audits will help all in healthcare, highlighting the importance of being compliant and keeping patients’ data safe. That’s why Abyde is here to help. Our software simplifies compliance, allowing your practice to focus on what matters most, taking care of patients, or in the case of Business Associates, running your business. To learn more about how you can be prepared for the random OCR HIPAA audits, email us at info@abyde.com or schedule a compliance consultation below. MEDICAL PRACTICES: SCHEDULE CONSULTATION BUSINESS ASSOCIATES: SCHEDULE CONSULTATION
Abyde Insights: Managing the Aftermath of the Delta Dental MOVEit Breach
December 18, 2023 In the ever-evolving landscape of cybersecurity, vigilance is key. Recently, Delta Dental of California faced the brunt of a cyberattack, highlighting the imperative need for robust security measures. At Abyde, we believe in keeping our community informed to fortify defenses against potential threats. Here’s a closer look at the Delta Dental MOVEit breach and insights on strengthening your cybersecurity posture. Understanding the Breach Delta Dental of California, an esteemed provider of dental insurance to 45 million individuals, fell victim to the Clop hacking group’s exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. This breach, affecting a staggering 6,928,932 dental plan members, underscores the critical importance of cybersecurity in safeguarding sensitive information. Timeline of Events The breach unfolded when Delta Dental identified an SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer on June 1, 2023. Despite Progress Software swiftly releasing an emergency patch on May 31, 2023, the Clop group had exploited the flaw between May 27 and May 30, 2023. The aftermath saw unauthorized access and data exfiltration from Delta Dental’s MOVEit server. Response and Analysis Delta Dental responded promptly, engaging third-party computer forensics experts to conduct a thorough analysis. The complexity of the breach required meticulous scrutiny, leading to the finalization of the affected individuals and data types on November 27, 2023. Notification letters commenced distribution on December 14, 2023. Protective Measures for Affected Individuals In an effort to mitigate the impact on affected individuals, Delta Dental has taken proactive steps. Those affected are being offered 24 months of complimentary credit monitoring and identity theft protection services. This measure aims to empower individuals to monitor and protect their personal information during this challenging time. Learning from the Incident While Delta Dental emphasized that this was a mass exploitation incident affecting numerous companies, the magnitude of the breach sets it apart. With nearly 7 million individuals affected, it stands as the third-largest healthcare MOVEit-related breach reported. HIPAA Compliance and Notification Delta Dental adhered to the HIPAA Breach Notification Rule, reporting the breach to the HHS’ Office for Civil Rights on September 6, 2023, within the stipulated 60-day timeframe. The intricate process of identifying affected individuals and data involves digital forensic and incident response providers, highlighting the complexities of incident response. At Abyde, we advocate for a proactive approach to cybersecurity and compliance. Regularly updating and patching software, conducting comprehensive risk assessments, and fostering a culture of compliance are crucial components of a resilient HIPAA compliance strategy. Abyde is here to guide you on your journey to enhanced security and privacy. Reach out to one of our experts today to learn more! Call 800.594.0883 or email info@abyde.com.
Navigating a HIPAA Compliance Audit: A Structured Guide
September 15, 2023 Receiving notification of a pending HIPAA compliance audit may initially feel like an alarming event. Rest assured, it doesn’t need to be a distressing experience. Let’s put the jests aside and embark on a guided pathway to handling this with seriousness and diligence. Here’s how you can approach this situation methodically and with poise, assisted by Abyde’s comprehensive solutions: Step 1: Stay Calm and Mobilize Your Team Upon receiving the notification, resist the urge to panic. Instead, convene a team meeting to align your strategies and affirm that you can successfully navigate the audit with a coordinated effort. Step 2: Understanding the Audit Letter Deciphering the audit letter is paramount. Invest time in understanding the specifications mentioned in the letter to identify the areas that will be under scrutiny during the audit. Step 3: Engage Your Compliance Officer Your Compliance Officer will be the anchor during this period. Leverage their expertise to lead the preparation phase, focusing on gathering the necessary documents and aligning your operations with HIPAA standards. Step 4: Document Compilation Systematically compile all necessary documents including, but not limited to: Step 5: Conduct a Pre-Audit Before the official audit, conduct a pre-audit to identify any gaps in your compliance. This step ensures that you are well-prepared and confident for the audit day. Step 6: Be a Gracious Host On the audit day, maintain a cooperative and respectful demeanor toward the auditors. Offer refreshments and be willing to assist them throughout the process, facilitating a smoother audit experience. Step 7: Review and Improve Post-audit, take time to review the feedback provided in the auditor’s report. Utilize this information to make necessary amendments, showcasing your commitment to continuous improvement. Step 8: Continuous Compliance Recognize that maintaining compliance is an ongoing endeavor. Regularly update your policies and training to ensure that your practice operates within the stipulated regulations, fostering a culture of continuous compliance. Leveraging Abyde for Compliance Ease With Abyde by your side, you can transform this seemingly daunting task into a manageable one. Abyde offers: With preparation and the right partner like Abyde, you can face a HIPAA audit with confidence and tranquility. Embark on this compliance journey with seriousness and structured guidance, ensuring a successful outcome.
OSHA Inspection Process & Budget
October 11, 2022 With all of the OSHA inspections that are conducted throughout all the major sectors, you would be surprised to find out that the healthcare industry makes up 12% of those inspections! With the total average number of OSHA inspections leaning towards 34,000 a year – 14,000 of those inspections are related to the healthcare industry alone. You may be thinking to yourself how does the whole OSHA inspection process work? Well, you are in luck! Let’s get into the nitty gritty of it all. Anyone who is covered by the Occupational Safety and Health Act has the ability to request an OSHA inspection, or OSHA could also make an unrequested inspection. If and when an inspection is conducted, it is typically done with no notice at all – talk about an uninvited guest! For the inspection itself, it will include an opening conference, “walkaround” of the workplace, and a closing conference. The opening conference will begin once the inspector arrives and meets with the representatives. This part of the inspection is to be as short as possible and ensures that the inspection will cover all hazards that were mentioned in the complaint. After the opening conference, the inspector will conduct what’s called the “walkaround”. This is where the inspector and any representatives will check the facility for any safety and health hazards that were included in the initial complaint. The inspector could potentially check for any other hazards if they choose. The inspector would speak with any affected employees and employees are encouraged to point out any hazards and mention any past accidents, illnesses, and employee complaints. During the initial walkaround, the inspector may use any equipment to measure noise, dust, fumes or any other hazardous exposure. If you are unsure of what they are doing, don’t be afraid to ask. After the walkaround is complete, the OSHA inspector will bring any violations to the attention of the employer and employee representatives at the time they were discovered. Last thing is the closing conference, where the OSHA inspector where the OSHA inspector has to conduct a closing conference, whether it is jointly or separately, and will go over any apparent violations, ways to correct them, deadlines, and potential fines. And that wraps it up! Phew! Now let’s talk about MONEY! Every year OSHA introduces a plan and budget to substantiate their existence. In August, the Senate proposed an 11.1% funding increase for OSHA in the fiscal year of 2023. The Department of Labor, HHS, Education and Related Agencies Appropriations Act of 2023 proposes $679.8 million for OSHA in 2023, which is $68 million more than 2022. There is a House funding bill as well that proposes $712 million for OSHA; if the finalized budget is passed the amount would fall somewhere in between the two amounts that were proposed. With all that being said, having a larger budget could mean hiring more inspectors who could potentially knock on your door! Now that you’re familiar with the inspection process, wouldn’t it be nice to know you can be confident in your practice’s OSHA program? In walks Abyde – and we are a guest that usually brings doughnuts when we walk through your door!
OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage: The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?
Latest HIPAA Audit Industry Report
December 18, 2020 End of year report cards are in (or at least they are for covered entities) and the HIPAA compliance grades the Office for Civil Rights (OCR) & Department of Health and Human Services (HHS) just handed out are not ones to write home about. Just yesterday, the HHS released their latest HIPAA Audits Industry Report grading providers and business associates’ on their level of compliance with HIPAA regulations. The report evaluated audit results from 166 covered entities and 41 business associates, focusing specifically on compliance with the Notice of Privacy Practices, patient records access, breach notifications timeliness and content, the Security Risk Analysis, and appropriate risk management programs. While the full report is pretty lengthy, we’ve compiled some of the top takeaways from these latest results: So what does this data tell us? In some ways, nothing new – all of the areas audited have factored heavily into recent OCR enforcement activity, and highlight the same trends we’ve seen all year. If not part of recent enforcement, these areas factor into the recent proposal to modify the HIPAA Privacy Rule, including proposed adjustments to the Notice of Privacy Practices. “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in addition to the latest report, “we will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” What NEW information can we take away from these results? Organizations are STILL. NOT. COMPLIANT. Many of the covered entities or business associates audited produced what they thought was sufficient evidence, but did not meet actual HIPAA requirements. Some weren’t even close – when asked to produce an SRA, entities provided irrelevant documents like a patient’s insurance prescription coverage and rights; a document discussing pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page – none of which are even semi-related to an actual SRA. If your practice wants to get a slightly better HIPAA grade than the ones in this recent audit, ensuring you have the PROPER documentation in place, and meet ALL HIPAA requirements is key. If HIPAA isn’t your best subject, a software solution like Abyde is the tutor you’ve been needing to help walk you through the process to get an A+ (plus avoid hefty HIPAA fines, stress over your HIPAA program, and general unhappiness).