August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements. What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information: Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations. No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.
Properly Encrypting ePHI: What Your Practice Should Know
August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption? Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again. What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include: Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place. With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.
Recently Offboarded Staff? Don’t Forget About HIPAA Requirements
August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time. Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include: You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.
HHS Extends National Public Health Emergency & Limited HIPAA Waivers
July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19. As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.
Requirements for HIPAA Training
July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice. 58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained? All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.” Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training? HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained? While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice. How long must each training be? There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees.
My EHR system makes me HIPAA compliant, right?
July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends? A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as: While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation.
HIPAA Compliant Digital Marketing for Healthcare Practices
July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing. Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice: Email Marketing If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation: Social Media Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines: Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.
Is Your Telehealth Solution HIPAA Compliant?
July 2, 2020 Ever thought you’d be saying “What’s up Doc?” on a video chat from home? Telehealth has made remote visits a new reality – though not all telehealth providers have been created equal when it comes to being HIPAA compliant. Why is it important for telehealth to be compliant? 90% of healthcare executives have already or are planning to adopt telehealth services within their operations, and as remote patient care continues to explode in popularity so do the risks to compromising that patient information. Part of telehealth’s current popularity is due to COVID-19. To best meet the urgency brought on by COVID-19, the Office for Civil Rights (OCR) provided an update to the provision of telehealth services allowing providers to use any form of non-public facing video communications with patients, even if they weren’t considered ‘HIPAA compliant.’ While this enforcement discretion is only temporary, we can predict that the general public will prefer to keep their distance and avoid face-to-face doctor visits if possible for the foreseeable future. In fact, a recent study found that 74% of Americans would be comfortable and willing to use telehealth services for their doctors appointments. While COVID-19 has made a major impact on telehealth services, the ability to provide care remotely has been growing in popularity for several years. The value of telehealth goes beyond allowing for social distancing between patients and providers, including: With all the benefits presented in utilizing telehealth services, there are also additional risks to be aware of. The following are some key recommendations for implementing telehealth in the most secure way possible: The explosion of telehealth providers to meet the new demand after COVID-19 has seen some great – and some not so great – products within the telehealth market. If you are looking into adding a telehealth solution, be sure it is one that has proper safeguards and programming to prevent and contain possible cyber threats. An unsecured telehealth provider could make your patient data vulnerable – such as chatbot and telehealth startup Babylon Health, whose users found dozens of videos of other patients’ appointment consultations in their app due to a software glitch. While the issue was quickly corrected, implementing a non-compliant telehealth app creates a high risk for potentially compromising patient data. As the healthcare industry continues to implement technology solutions, it’s important to ensure that sensitive patient information remains safeguarded from additional risks that technology presents. Utilizing HIPAA compliant providers for telehealth and having the proper Business Associate Agreements in place are key to providing the most effective and protective services for your patients.
So, What Exactly is a Security Risk Analysis?
June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 83% of covered entities could not show a properly documented Security Risk Analysis for their practice. The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should: Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on. What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.
It’s Time to Trash Your HIPAA Binder
May 27, 2020 You can shred it, burn it, use it as a paperweight – we don’t really have a preference – but by all means, it’s time to move on from your out-dated physical HIPAA manual. When trying to comply with HIPAA regulations, it may seem counterintuitive to roast smores using documented privacy policies and procedures, but now is the perfect time to grab your massive HIPAA binder that hasn’t been touched in years and toss it out with yesterday’s newspaper. Technology has paved the way for increased efficiency within medical practices. The days of thumbing through filing cabinets have been relieved by databases providing instant access to everything your practice may need. This transformation provides countless benefits for both practices and patients, just as modernization has benefitted HIPAA regulations. The medical industry, among others, continues to move towards more ‘paperless’ operations – including that bulky, cumbersome HIPAA manual most often left collecting dust in a closet within your practice. Despite these advances, many practices are still relying on a physical binder or other paper-based resource to keep track of their HIPAA compliance policies and procedures. In fact, many may still think that a paper manual is the only way to meet HIPAA requirements. While this would be a valid source of documentation should your practice ever experience a data breach or audit, HIPAA regulations don’t specify the need for a physical or paper copy of your documentation. In fact, there are many benefits to taking your stack of unused papers into the electronic realm. An electronic binder (especially one through a cloud-based software provider) offers a number of benefits, including: There is a lot that comes with maintaining HIPAA compliance – and the biggest hurdle many practices face is having the proper documentation of this culture of compliance. If your practice has put in the hard work to complete your risk analysis, documenting that work properly and in an accessible format is essential. In fact, 83% of practices that were audited by the OCR in 2019 did not have a properly documented security risk analysis. This is in part due to outdated paper policies that don’t fit the practice’s current structure or procedures. An electronic and continually updated HIPAA ‘binder’, in contrast, fulfills all HIPAA regulations and requirements around documentation. COVID-19 has had a large impact on HIPAA enforcement and regulations, and many practices have begun utilizing telehealth services as well as implemented new policies and procedures surrounding cybersecurity during newly remote operations. All of these changes and updates to your practice’s work with PHI, even if it’s just temporary, must be documented properly within your HIPAA manual. Having an electronic version of your manual means going in and updating with a few clicks of a button – saving your practice time (and paper) during an already turbulent time. If your practice has always had a paper HIPAA binder, moving to an electronic manual that offers all of the above features may be easier said than done. That’s where a HIPAA compliance software solution, like Abyde, comes in to ensure your HIPAA program is up-to-date with any new changes regarding HIPAA or state-specific laws with dynamically generated policies and procedures built specifically for your practice – providing you much more than just an updated version of your HIPAA manual. If your practice has been stuck on paper, let us show you how going electronic can save you hours of HIPAA headaches.