Best Practices

Prioritize Your Practice’s Disaster Recovery Plan
Best Practices, HIPAA

Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Comments Off on Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Having a documented disaster recovery plan is incredibly important for healthcare practices to implement in preparation for a data breach, cyber-attack, or a public health emergency like COVID-19. A disaster can be defined as any event that compromises an organization’s operations, data, and network – and due to the current increase in cyber attacks during COVID-19, ensuring your practice is well-prepared for any disaster with a proper contingency plan is all the more important.  You know what they say: always plan for the worst, and hope for the best. We’d like to hope your practice never has to put your disaster recovery plan into action, but it’s better to be safe than sorry especially since it’s required by HIPAA law. The HIPAA security rule states that all healthcare practices must have a contingency plan in place to define the responsibilities of all staff members and overall practice procedures to restore IT systems that contain PHI in case of any disruptive event. The requirements within a disaster recovery plan can seem a little daunting, which is part of the reason why it’s essential to have your procedures in place before a disaster happens. Now let’s break down what exactly you need for your contingency plan:  When it comes to your practice’s disaster recovery plan, having everything properly documented and planned ahead of time will make all the difference in your ability to restore data and respond to an emergency correctly.  If your practice hasn’t created the right disaster recovery plan prior to a threat or event occurring, it’s always a good idea to immediately document and identify how your practice will respond as quickly as possible. Even if you already had a documented disaster recovery plan, when an event does occur it is a great opportunity to revisit your existing plan and adjust any needed areas to be as accurate as possible. Felling a bit overwhelmed? We have some good news for you. Abyde’s comprehensive solution will take the guesswork out of knowing if your practice is prepared. From documenting your risk assessment to generating policies and procedures specific to your practice, to a support team ready to assist you in the event of a disaster, if using Abyde, implementing your practice’s recovery plan won’t be stressful or time-consuming!

HIPAA for Business Associates Checklist
Best Practices, Cybersecurity, HIPAA

Technical Safeguards for Cybersecurity

April 10, 2020 Comments Off on Technical Safeguards for Cybersecurity

April 10, 2020 HIPAA has been around for quite a while – since 1996, in fact – and part of HIPAA law has always included required safeguards to secure all aspects of a medical practice’s protected information. With the rapid adoption of technology within the healthcare industry, technical safeguards included in HIPAA law are some of the most important for practices of all sizes to implement. Technology has enabled businesses in the healthcare industry to move operations offsite. In light of the current public health emergency, allowing for access to all essential data without having to step foot into the office is vital to ensuring practices are ready to see patients after the social distancing rules are relaxed. While these advancements simplify and enhance your business operations, they have made a hacker’s job that much easier as well. Technical safeguards are the documented strategies and solutions that practices implement to secure electronic protected health information and control access to it. These include:  When it comes to the question of which data actually needs to be safeguarded, the answer is pretty much all of it. Any data that is accessed by, sent to or received from other practices or authorized vendors need to be protected as well as any data that has traceable identification that can be linked to a patient. This sensitive data must be encrypted prior to sending or receiving. Encrypting data may seem like a daunting task, but at a basic level, it just means making PHI unreadable to anyone other than the intended parties. Recent Cyber Threats Tied to COVID-19 While ensuring your practice is prepared for a cyber attack is always important, cyber threats have been headlining the news a lot lately along with the current COVID-19 health emergency. Hackers are taking advantage of this time of increased public vulnerability as well as increased use of technology from unsecured networks while many people are working from home. Read up on common tactics utilized in these threats in our recent article. Over the past few weeks, including just yesterday, multiple government agencies have issued warnings regarding recent threats to cybersecurity. These attacks range from individuals posing as government officials seeking access to PHI to other various phishing and malware distribution schemes utilizing the current concern and fear around COVID-19 as hackers ticket into your sensitive data.  Further guidance can be found in the public service announcement released by the FBI and yesterday’s bulletin from the CISA. Hackers aren’t just attempting to play the roles of OCR investigators, or focusing on sending you phishing emails – now your video-teleconferences are at risk too. Video chat apps have become increasingly popular whether it’s for telehealth appointments, office meetings, , or even just virtual happy hours with friends – it’s the best way to stay connected during this time of social distancing. Unfortunately, this added reliance on technology is just another way for scammers to attack. The FBI released additional guidance on defending against Video-teleconferencing (VTC) hijacking and “Zoom-bombing” which refers to attacks directly on the increasingly popular Zoom platform. Some noteworthy tips from this guidance include making sure your virtual meetings are private by requiring a password to gain access. Keeping these meetings private means keeping them off social media or other public-facing platforms so only provide meeting links directly to the individuals you want to be included. These attacks on video chatting software are especially important for medical practices to be aware of as just a few weeks ago the OCR updated their telehealth service regulations allowing doctors to use various communication apps to diagnose and treat patients while maintaining a safe distance.  Practicing Good Cyber Hygiene When it comes to cybersecurity, it’s important to know what to look out for, how to report any potential threats, and most importantly how to keep your practice and your patient data safe. Just yesterday, CISA, the United States Department of Homeland Security (DHS), and the United Kingdom National Cyber Security Centre (NCSC) issued a joint release featuring additional guidance on how to spot potential threats. Important tips for safeguarding your practice’s security during this time of increased risk include: There’s a lot of good ‘cyber hygiene’ out there, but here are a few top tips to keep your practice operations clean: If you have questions about technical safeguard requirements, Abyde has a team of HIPAA compliance experts ready and willing to help navigate your practice through these recent changes. If your practice is interested in learning more, sign up for one of our complimentary HIPAA compliance webinars where we’ll discuss HIPAA & COVID-19 from the comfort of your current remote work location.  

What to do after a HIPAA Breach
Best Practices, HIPAA

Your Practice May Have Experienced a HIPAA Breach – Now What?

March 10, 2020 Comments Off on Your Practice May Have Experienced a HIPAA Breach – Now What?

March 10, 2020 Whether you have recently experienced a breach or are just preparing for the worst, it’s important to know what you need to assess in the event that your practice is faced with a HIPAA incident. Any time your Protected Health Information (PHI) is exposed, whether maliciously or accidentally, your practice may be facing serious fines for a HIPAA violation. The first step is knowing what exactly is considered a breach of PHI.  As defined by the U.S. Department of Health and Human Services, a HIPAA breach is the “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This definition is broad and leaves practices to determine if a breach has occurred. If you believe you may have been breached, the next step is to assess your specific level of risk using the following factors:  In any instance where unsecured PHI is involved, properly assessing the level of risk associated with your practice’s potential data breach is an essential first step. Your next steps are reporting the breach and notifying the right individuals as specified by HIPAA. In addition, the number of affected persons, your state’s individual reporting requirements, the types of PHI, and the likelihood the PHI exposed will be used for malicious intent will influence the best way to address the breach. All practices, before a breach ever occurs, should have a Breach Notification Policy in place that will outline the proper reporting steps that must be followed. Like all HIPAA policies, the policy should also include any state-specific breach notification laws that might supersede Federal requirements. It’s important to note that analyzing your HIPAA program shouldn’t only be done after a breach has already occurred. Practices should assess their level of HIPAA compliance regularly and complete the mandatory annual Security Risk Analysis in order to determine areas that could be breached in the future. This not only sheds light on often overlooked risks, such as outdated computer programs or missing policies for regulating access but in the circumstance that your practice does experience a breach you are better equipped to identify and mitigate the issue. In fact, if you experience a breach and have not completed the required Security Risk Analysis beforehand, the likelihood that your practice will be hit with a HIPAA fine goes up dramatically – almost all HIPAA fines levied by the OCR are in part the result of a missing risk analysis.  Updating and maintaining your practice-specific Security Risk Analysis and policies on a regular basis may seem daunting, but software solutions (like Abyde!) help streamline and automate this process to simplify your compliance program.

How to Dispose PHI
Best Practices, HIPAA

So You Have PHI to Dispose of – Now What?

February 26, 2020 Comments Off on So You Have PHI to Dispose of – Now What?

February 26, 2020 The days of simply shredding paper records and files to dispose of Protected Health Information (PHI) are behind us as the use of technology continues to become more prevalent within the medical industry. Under the HIPAA Privacy Rule, practices are required to implement the proper administrative, technical, and physical safeguards when it comes to protecting patient privacy. This rule dictates that covered entities are responsible for implementing and maintaining these policies.  For many practices, disposing of electronic or regular PHI in the proper way may be daunting. Instead of always shredding a paper file, practices now have to follow recommended methods to dispose of data provided by the U.S. Department of Health and Human Services. These methods include: Without a simple checklist to follow, it is difficult to guarantee that the best measures are being taken to protect this secure data. In fact, covered entities and business associates have been hit with hefty fines for not disposing of PHI properly. RELATED: IS YOUR PRACTICE MEETING HIPAA DATA SECURITY REQUIREMENTS? DOWNLOAD OUR HIPAA CHECKLIST AND FIND OUT! In one well-publicized example, a shredding company left thousands of patient files unlocked and unguarded for anyone to take. The shredding company, as well as the covered entity whose files were left unsecured, were both hit with monetary settlements. Another incident of improper PHI handling left almost 10,000 individuals impacted. In this case, a pharmacy disposed of an electronic device used for customer signatures without properly wiping the device first. This exposed a vast amount of PHI including patient names and signatures along with prescription numbers and medication names.  Many of these incidents occur due to the lack of policies set in place by the practices for business associates and other outside parties handling patient data. Another case that led to monetary penalties totaling a whopping $140,000 resulted from a medical billing company disposing of 67,000 patient records in a public dumpster.  Unfortunately, improper disposal of PHI is the source of many data breaches and HIPAA violations. Implementing the correct policies for disposal of PHI is paramount, and each employee must be trained on proper PHI disposal to ensure that your practice is taking every step possible to keep protected health information secure. 

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X