Best Practices

The Importance of HIPAA Compliance Officers
Best Practices, HIPAA

Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 Comments Off on Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 If you aren’t already aware of how much goes into a complete HIPAA compliance program, we’ll give you a hint – it’s a lot. How much is a lot? Estimates are that it takes the average practice (on their own) 80+ hours per year. So who do you thank for all those hours, headaches and (probably) tears? Your friendly neighborhood HIPAA Compliance Officer.  A HIPAA Compliance Officer, or HCO, is essentially responsible for ensuring your practice meets requirements outlined in HIPAA law – which is as complicated as it can get. Their role is pretty crucial to avoiding a HIPAA violation (not to mention required under HIPAA) and involves quite a list of tasks for the lucky winner of the HCO title. HCO responsibilities include: If you are a smaller practice, your practice administrator or office manager might serve as your HCO (on top of all their existing responsibilities – seriously, they must have superpowers), or if a larger organization, you may be lucky enough to have a separate compliance staff member. Regardless of how your practice operates, the HCO deserves a major round of applause for all they do to keep your practice – and patients – safe, secure and compliant.  Every great hero has a side-kick, and for your HCO a HIPAA compliance software solution is just that. Rather than manually updating each policy, creating training materials, conducting ongoing risk analyses, AND keeping up with changing HIPAA regulations, a software solution like Abyde does it all with just a few clicks – and with a lot less time and stress involved. Whether you have a software side-kick or not, making sure you have all the right pieces of the HIPAA puzzle is a crucial role for your HCO to fill.  Don’t have an HCO? Or have someone that was responsible that one time, but never actually had the opportunity to get started on HIPAA? First, figure out where your program is at by reviewing what you may be missing, then assign an HCO and get them some help to manage their new HIPAA responsibilities.

Information Blocking
Best Practices, HIPAA

What Does ‘Information Blocking’ Mean?

October 15, 2020 Comments Off on What Does ‘Information Blocking’ Mean?

October 15, 2020 If you’re at all familiar with the 21st Century Cures Act, you may have heard the term ‘information blocking’ tossed around. Even if you’re not, you may be familiar with the ongoing healthcare battle to prevent information blocking and more effectively share patient information. If you’re not familiar with any of these things…well…keep reading anyways, if you’re an independent practice we promise this is going to be increasingly important information to know.  A major goal of the Cures Act is to break down the barriers currently erected to interfere with, prevent, or discourage the access, exchange, or use of electronic Protected Health Information (ePHI) within the healthcare industry – otherwise known as information blocking. HIPAA outlines the specific ways information can be shared (and these rules still apply) but the statement of “sorry we can’t share that information because of HIPAA” is often applied incorrectly, and part of what the Cures Act hopes to correct. Deliberately blocking information that should be shared with patients and other appropriate covered entities, such as with Health Information Exchanges (HIE’s), can prevent or delay proper treatment and ultimately reduces the effectiveness of patient care. Before the Cures Act rules go into effect (November 2, 2020), organizations must reevaluate or remove any barriers currently in place that constitute information blocking. Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking. There are some exceptions to what falls under the “information blocking” umbrella, including:  All of these exceptions are only permissible provided certain conditions are met. In general, think of information blocking as refusing to share data even when there is no reason not to – i.e., none of these exceptions or regular privacy concerns apply. Where it gets tricky is when information sharing might – though the situation makes it unclear – violate HIPAA compliance regulations (really violate them, not just as an excuse). It’s always helpful to ask the experts in these circumstances – such as your HIPAA compliance program provider (*cough cough*). 

Requesting Access to Medical Records and HIPAA
Best Practices, HIPAA

Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 Comments Off on Your Patient Requested Access to their Medical Records, Now What?

September 18, 2020 When it comes to medical records requests, you just hand over patient files – right? Wrong! The HIPAA Privacy Rule unequivocally provides individuals with the right to see and receive copies of their medical records upon request – but has some requirements when it comes to the who, what, and how of handing those records off. Appropriate patient access can be a fine line, and if you stray too far to either side you may end up in the next historic Office for Civil Rights (OCR) announcement of multiple access-related fines. Here’s the 411 on patient record access: Access is just for the patient, right? We hope it’s obvious that patients should be able to access their own records (who doesn’t want a hard copy of their dry eye disease diagnosis), but it’s not just patients that have the right to request records. In fact, the OCR levied two fines just this week for not providing access to an authorized personal representative of a patient. A ‘personal representative’ is someone with the authority under state law to make health care decisions for another individual. This may be the case if: How must access be requested? Making things easy (cough cough), HIPAA law does not specify any required method of requesting access. Patients may ask verbally, in writing, or by secure email or patient portal – really, whatever method suits the patient. Your practice CAN specify the way you want patients to request access, they just have to be informed first about this requirement (possibly as part of your onboarding forms). We do recommend making access requests written, just to document the date of the request. Do I need to verify the requester is authorized? Once you have a patient or their personal representative requesting access, you can just hand over the records, right? Not so fast. The HIPAA Privacy Rule requires practices to take reasonable steps to verify the individual making a request for access is who they say they are. While there’s no specific form of verification required, such as a copy of their driver’s license, it’s extremely important for your practice to use professional judgment when determining that a request is ‘legit’. Verification must also be done without adding unnecessary delays in fulfilling the request. What form must records be provided in? We’re long past the days of keeping everything on paper, and most practice’s manage their health records electronically. However, the Privacy Rule requires a practice to provide access to protected health information (PHI) in the format that it was requested in – either a paper or electronic copy. If the records are not readily producible in the requested format, you’ll need to agree on an alternative format instead. How quickly do records need to be provided? The phrase “ASAP” is nice and all until it comes to meeting specific HIPAA deadlines. When a request is made, the practice must provide access as soon as possible and at minimum within 30 calendar days (the federal law) or less depending on your specific state laws. If unable to provide access within 30 days, the practice can inform the individual of the reasons for the delay and can have no more than one 30 day extension period.  Timeliness is key when it comes to patient access. One practice in particular didn’t provide patient records until 9 months after the initial request was made. The patient filed a complaint to the OCR that resulted in an $85,000 fine along with a corrective action plan. If you thought 9 months was bad, just this week the OCR announced another fine for failing to provide medical records for almost 3 years.    Can I charge patients for copies of their records? Depending on the format requested or the time needed to collect records, there might be some costs involved. Thankfully HIPAA accounts for this, and lets your practice impose a reasonable, cost-based fee for requests. This fee can include:  There’s a lot more that goes into requesting records than simply handing them over. If you’re confused about all this – and we get it, we were too – having a HIPAA expert on deck to help sort out specific scenarios quickly can help your practice stay on top of requirements without unintentionally violating HIPAA. Don’t have an expert to help? Work with an outside HIPAA compliance provider (just picture us saying “pick me!”) who can help you manage the intricacies of access laws before winding up on the next OCR HIPAA settlement announcement.

HIPAA Compliant PHI Disposal
Best Practices, HIPAA

Disposing of PHI: Why, What and How

August 27, 2020 Comments Off on Disposing of PHI: Why, What and How

August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of?  Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).    RELATED: So You Have PHI to Dispose of – Now What?  What is considered proper digital data disposal?  Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored.  Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.

Asset Log HIPAA
Best Practices, Cybersecurity, HIPAA

OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Comments Off on OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements.  What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information:  Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations.  No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.  

Properly Encrypting ePHI
Best Practices, Cybersecurity, HIPAA

Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Comments Off on Properly Encrypting ePHI: What Your Practice Should Know

August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption?  Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again.  What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include:  Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place.  With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.

Offboarding and HIPAA
Best Practices, HIPAA

Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Comments Off on Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time.  Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include:  You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.  

COVID-19 Public Health Emergency Extension
Best Practices, HIPAA

HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 Comments Off on HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19.  As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.

Requirements for HIPAA Training
Best Practices, HIPAA

Requirements for HIPAA Training

July 22, 2020 Comments Off on Requirements for HIPAA Training

July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice.   58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained?  All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.”  Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training?  HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained?  While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice.  How long must each training be?  There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees. 

Best Practices, HIPAA

My EHR system makes me HIPAA compliant, right?

July 16, 2020 Comments Off on My EHR system makes me HIPAA compliant, right?

July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends?  A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards  – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as:  While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within  Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation. 

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X