Best Practices

MIPS and HIPAA Compliance
Best Practices, HIPAA

The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 6, 2021 Comments Off on The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 6, 2021 As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology all the while having to ensure that your top priority of patient care never falls behind. But despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. And thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law, providers are rewarded for going the extra mile.  You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might even be participating in it already. But whether it’s a Quality Payment Program or new legislation passed into law – the government is continually emphasizing the importance of being proactive rather than reactive and providing incentives for doing so. This is why there’s so much value in knowing what your organization is eligible to participate in (or using government lookup tools like this one if you don’t) and getting yourself on track to ensure that no money is being left on the table. Because many of these different program requirements fall right in line with the standards your practice already has to meet under HIPAA law – protecting your patients, checking off compliance requirements and receiving incentives can often be done all in one stride.  So, what exactly is MIPS?  To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program and is a system used by the Centers for Medicare and Medicaid Services (CMS) to measure eligible clinician performance and reward high-value, low-cost care. MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories being: Now achieving high scores in each of those categories requires some endurance but luckily, your organization can check several quality and interoperability objectives off just by utilizing a compliant and reputable EHR system. But before you can get to these different performance measures, there’s a prerequisite for even participating in the MIPS Promoting Interoperability performance category which also just happens to be a front-runner for achieving HIPAA compliance and taking advantage of other government incentives like the Safe Harbor Law – the Security Risk Analysis (SRA). The SRA is not only a requirement for MIPS participation but is also the first step in achieving a complete HIPAA compliance program. Conducting an SRA involves assessing any potential risks to your organization’s ePHI and implementing the necessary security updates and safeguards to mitigate whatever vulnerabilities were found. To fulfill MIPS and HIPAA law standards, your organization must complete an SRA annually at minimum and should continually review and update the analysis to address any changes in your technology or practice operations throughout the year.  In addition to being a necessary stride towards implementing a complete HIPAA compliance program and enabling your practice to participate in MIPS reimbursements, the SRA is also key in ensuring your patient’s sensitive health information is best protected. As the healthcare industry continues to emerge as a top target for data breaches – having the proper cybersecurity practices in place are essential. The government recognizes these additional hurdles that providers are faced with, and knows the importance of identifying and mitigating security risks within the organization before an incident occurs. This is exactly where the HIPAA Safe Harbor Law that we keep mentioning comes into play. The legislation passed in January of 2021, basically says that organizations can receive reduced HIPAA fines and penalties if they have the proper security measures in place – step number one being (you guessed it) a properly completed SRA.  But while it’s one thing to know why your organization should be meeting the requirement, it’s another to actually know what to do to get your practice off the starting blocks – and avoid the many misconceptions that might slow you down. Luckily a solution like Abyde makes conducting a thorough and accurate assessment of your organization a breeze. With dynamically generated questions to cover all the necessary safeguards and ongoing compliance assessments to ensure any identified risks are mitigated – you can feel confident that your organization is covered.  Even though throwing in the SRA to your already jam-packed to-do list might seem like adding miles to the track, with Abyde you can score your best time and complete this key requirement in just a few clicks of a mouse and only 20-minutes a month. So while your marathon of responsibilities might go the distance – with the close of 2021 right around the corner, the only way to get your organization across the finish line and meet HIPAA and MIPS requirements is to have a properly completed Security Risk Analysis in place.

Healthcare Fraud Waste and Abuse
Abyde News, Best Practices

Is Fraud, Waste and Abuse Training Required For My Practice?

August 27, 2021 Comments Off on Is Fraud, Waste and Abuse Training Required For My Practice?

August 27, 2021 It’s understandable for healthcare organizations to sometimes feel drowned by responsibilities. In addition to the ongoing balance of patient care and running a business that you’re already tasked with, having to add compliance into the mix can make for some especially muddy waters to tread. However, the compliance struggle is more than just having yet another thing added to your list. It is all of the complexity and confusion that surrounds it. And since the word “compliance” consists of many different legal, ethical and professional standards – it’s not always easy to decipher which items are a must-have to keep your practice afloat.  So when it comes to the responsibilities of your practice, though providing quality healthcare and protecting your patients is always a must, not all organizations have to follow the same requirements. Because of this, one question in particular that seems to leave practices scratching their head is, “Are we responsible for providing fraud, waste, and abuse training to employees?”  What is fraud, waste and abuse training? If you are familiar with fraud, waste and abuse (FWA) you most likely understand the impact it has on the healthcare industry and why it’s so important to prevent. All employees within a healthcare organization should know what FWA is and how to avoid it, the same as they should know what HIPAA is and how to protect patient health information. However, while annual HIPAA training is a legal requirement with specific stipulations for compliance – the rules are a bit different when it comes to the education for FWA.  Previously, the Centers for Medicare and Medicaid Services (CMS) required both Medicare Part C (Medicare Advantage) and Part D (Prescription Drug Coverage) plans along with all participating healthcare organizations to meet the annual fraud, waste and abuse training requirement. Training was to be provided to all employees within the first 90-days of onboarding and on an annual basis thereafter. The goal being to clearly identify what fraud, waste and abuse is and ensure all health plan providers and their “downstream, related entities” (a.k.a. healthcare organizations like you) have the know-how to properly detect, correct, report and ultimately prevent instances of FWA. Now if you’re already meeting HIPAA training requirements (fingers-crossed that you are) the stipulations for FWA training probably seem straightforward enough. However in typical government fashion, with legislation comes continual changes and as of January 1, 2019, the CMS officially updated the standard to only apply to Medicare service providers – not Medicaid – based on the feedback they received regarding the burden of the requirement. But before all the non-Medicare providers who are currently reading go to click the “x” at the top of this page, there are other specific insurance plans that may require their covered entity providers to complete some type of healthcare fraud training. One thing to keep in mind is even if your organization doesn’t fall into these parameters, providing FWA education for all employees is certainly beneficial. So in getting back to that commonly asked question – the requirements for offering fraud, waste and abuse training really just depend on the healthcare plan that your organization provides. Luckily, finding answers can be a simple process as most plans provide their specific standards for not only training but general FWA compliance online. Additionally, there is the CMS’s online resource that’s free to the public.  In summary, including fraud, waste and abuse education as a part of your staff compliance training doesn’t have to be complicated. And with the costly impact that FWA and noncompliance can have on your organization, providing this training (even if you aren’t required) can make all the difference in keeping your practice’s head above water and avoiding a violation or fine that could otherwise put you under. 

Security Risk Analysis Misconceptions
Best Practices, HIPAA

The Security Risk Analysis and its Many Misconceptions

August 13, 2021 Comments Off on The Security Risk Analysis and its Many Misconceptions

August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail.  Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts.  Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files.   Myth #3: My IT company handles a full SRA.  False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements.  Myth #4: I can use a templated checklist to complete my SRA.  False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist.  Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization.  While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!

Fraud Waste and Abuse in Healthcare
Best Practices

Fraud, Waste, and Abuse in Healthcare

August 6, 2021 Comments Off on Fraud, Waste, and Abuse in Healthcare

August 6, 2021 Fraud, waste, and abuse are three little words that have impacted the rising cost of healthcare in a way that’s anything but little. Now, most are probably aware that U.S. health expenditures are growing at a rapid rate, and have been for many years. And while there are many reasons that resulted in the healthcare industry closing out 2020 with a whopping $3.8 trillion tab – ‘fraud’ is a five-letter word that can account for about $60 billion of it. So with an issue this common and costly, how can patients and providers help to stop it?  What is it?  Now, you’ve probably heard of fraud, waste, and abuse before and can associate each of them with nothing but bad news but what exactly do they mean to healthcare specifically?   Who can commit fraud?  The answer to this question is pretty much anyone. This includes doctors, patients, billing services…you name it. That being said, as a healthcare provider – it’s your job to not only ensure that you aren’t partaking in any fraudulent activities but are also on the lookout for your staff, patients, and billing providers. How do I prevent it?  As a provider, it’s important to develop appropriate prevention policies for your organization that outline best practices for avoiding and detecting healthcare fraud, waste, and abuse. According to the HHS Office of the Inspector General, this program should “establish a culture within an organization that promotes prevention, detection, and resolution of instances of conduct that do not conform to Federal and State law, and Federal, State and private payer healthcare program requirements, as well as the organizations’ ethical and business policies,” and include some of the following components:  In helping to reduce and ultimately prevent fraud and abuse, it’s important for your organization to not only have the proper compliance programs in place but also take additional measures such as: With billions of dollars lost each year to health care fraud in the U.S., and the costly impact an investigation could have on your organization’s reputation and revenue – it’s important to have the processes in place to detect and prevent fraud and abuse. Ensuring that your practice is meeting all areas of healthcare compliance, including a complete HIPAA program, is essential to keeping up with government standards and best protecting your patients. So while the rising cost of healthcare might not be totally avoidable, having the right compliance programs in place mean that the expense of a HIPAA or fraud violation can be. And with the penalties ranging from fines of hundreds of thousands of dollars and some even resulting in jail time – proactively preventing incidents before they happen and ensuring complete compliance is priceless.

HIPAA Policies & Procedures
Best Practices, HIPAA

Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Comments Off on Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Imagine if each sport didn’t have its own set of rules – we’d have baseball players tackling each other in the outfield and hockey players kicking the puck down the ice in front of a stadium full of confused fans with not a clue as to what they’re supposed to be cheering for. These unique sets of guidelines tailored specifically to each sport enable athletes to excel and spectators to appreciate what they’re watching. Without them, the games wouldn’t make much sense. So while the excitement of HIPAA is nowhere near anything you might find in a sports arena, having a rulebook specific to your organization is essential to ensuring patients’ sensitive information is being handled properly and HIPAA requirements are being upheld. HIPAA law came into play back in 1996 to set a national standard for how protected health information (PHI) should be handled and protected. Part of its requirements include the implementation of reasonable and appropriate policies to comply with these standards, but what exactly does reasonable and appropriate mean? Essentially, your organization is required to have policies and procedures in place to set expectations for how PHI should be handled as well as guide daily work operations and ensure consistency in patient care. But just as the specific rules differ for a game of football versus tennis, a small eye care facility has different expectations and work operations than a large hospital would – and therefore requires its own unique HIPAA rulebook.  What Do These Documents Include? For any HIPAA fanatics out there, you might already be familiar with the Security Rule’s provisions around the administrative, technical and physical safeguards necessary for protecting PHI which cover a wide range of requirements like completing a Security Risk Analysis (SRA), implementing facility access controls and maintaining up to date asset logs. So in looking at the documentation requirements, your policies should outline these required safeguards as well as the standard procedures for your organization to implement these protections. While the full list of documents and their included content will vary based on your organization’s size and specialty – there are some must-have elements that each rulebook should contain, including:  How Should These Policies & Procedures be Implemented? While the list provided above is definitely extensive and probably brings along an image of an overflowing HIPAA manual, it’s only a sample size of all the policies and procedures that your organization could potentially need to implement. And while yes, you can find templates for the majority of these policies online and even some directly on the HHS website, they lack an especially important element to the HIPAA requirement – customization. The latest HIPAA Industry Audit Report uncovered widespread non-compliance for the policy and procedure requirement – a major red flag being the common usage of “template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation” (their words not ours). This lack of entity-specific evidence came as a result of organizations not including details like their practice name and HIPAA Compliance Officer (HCO) contact information within each policy document – which are important elements of actually fulfilling this requirement. In addition to providing specific details about your organization itself, another piece to the “customization” requirement is taking into consideration certain state laws that might take precedence over HIPAA. It’s important to ensure that policies including things like breach reporting and responding to record requests meet the most stringent timeframes and requirements that apply to where your facility is located. So in order to meet this important HIPAA standard, the ball is truly in your court. As new opponents like legislative changes, technology advancements, and evolving patient needs require adjustments in your organizations’ operations – your policies and procedures must reflect these updates accordingly. But having the proper documentation and specific content included isn’t all that’s needed to make the cut. Providing employee training on a continual basis is essential to getting staff members up to speed on how they should be running the plays and ensuring that PHI is being handled correctly within your practice. So when it comes to developing a winning HIPAA strategy, having a comprehensive set of properly documented policies and procedures that are understood and followed by everyone within the organization is the best way to stay in the HIPAA compliance game.

Vaccination Status & HIPAA
Best Practices, HIPAA

Vaccination Status & HIPAA

May 28, 2021 Comments Off on Vaccination Status & HIPAA

May 28, 2021 News reports centered around patient privacy and COVID-19 seem to break on the daily – bringing newfound fame to HIPAA law and even more speculation on what is – and isn’t – covered within its requirements. Most recently, the conversation of vaccinations has been a trending headline with the question of ‘HIPAA violation’ commonly featured. So while there’s still plenty of uncertainty where COVID-19 is concerned, hopefully, we can at least shed some light on where HIPAA truly comes into play. When it comes to the commonly asked question of whether HIPAA protects against employers and other businesses requesting vaccination records, the short answer is no. HIPAA law only applies to covered entities which therefore means that private businesses and citizens are not obligated under the stringent data protection laws and CAN ask about vaccination status. However, patients do have the right to not disclose their own health information and can choose to decline to answer, but based on state-specific laws and company requirements there may be repercussions as a result. In a quote from Kayte Spector-Bagday, a lawyer and bioethicist at the University of Michigan, she highlights the popular misconception in saying, “People often feel like HIPAA protects them from being asked about their medical information, or prohibits other people from asking about their medical information. Neither is true. HIPAA prohibits health professionals, such as your doctor, from sharing your identified health information without your permission in most circumstances. People can always ask about your health information, and you can almost always decline to answer.”  So where does HIPAA come in?  As we just mentioned, healthcare organizations and their business associates are liable under the federal law meaning that your practice can NOT disclose vaccination information (or any protected health information for that matter) unless direct patient authorization is granted. So, say a patient’s employer calls your office to ask about their employee’s vaccination status. Well, because of the standards outlined in the HIPAA Privacy Rule, you cannot disclose any sensitive health information without patient consent, and doing so would result in a HIPAA violation. While vaccination status and test results are the trending topics at the moment, it’s important to note that these stipulations go for any and all types of patients’ health information, not just what’s related to COVID-19. And while the current state of the public health emergency still leaves a lot of unanswered questions – when it comes to your practice’s ability to disclose protected health information (PHI), HIPAA law still applies.

OCR Postcard Scam
Best Practices, Fines

OCR Alert Warns of Postcard Disguised as Official Government Communication

April 28, 2021 Comments Off on OCR Alert Warns of Postcard Disguised as Official Government Communication

April 28, 2021 You’ve got mail! The Office for Civil Rights (OCR) just issued an alert warning of a potential HIPAA scam hitting your mailbox that you should be on the lookout for. The government was recently made aware that postcards disguised as official OCR communication were being sent to health care organizations informing recipients that they needed to complete a “Required Security Risk Assessment” and directing that completed assessments be sent to a non-governmental marketing consulting website that has since been taken down. This hand-delivered scare tactic came from a private entity and should NOT be mistaken as an official notification from the OCR or the U.S. Department of Health and Human Services (HHS).    In addition to keeping an eye out for these counterfeit postcards, the OCR recommends verifying any and all “government” communications to ensure they’re actually official and alerting all staff members to do the same. They suggest looking for the OCR email address, which will end in @hhs.gov, and recommend asking for a verification email from the OCR investigator’s hhs.gov email address. The OCR also provides the addresses for their HQ and Regional Offices which can be found at https://www.hhs.gov/ocr/about-us/contact-us/index.html and should be confirmed are properly listed in any communications received.  This isn’t the first and probably won’t be the last time we receive alerts of these types of HIPAA scams. Back in August of last year, a similar incident occurred where fraudulent postcards labeled on the OCR’s behalf were notifying healthcare organizations to complete a mandatory HIPAA compliance risk assessment and directing them to another marketing consulting service website. So while fake postcards seem to be a common approach, it’s important to be aware of any and all types of HIPAA scams, especially as hackers and other organizations with malicious intent get more and more creative in their efforts.  Though this postcard is by no means an official communication from the government, the mandatory Security Risk Analysis (SRA) at its focus should not be overlooked. So if fulfilling this HIPAA requirement brings more cause for concern than the scam itself, you’re not alone. In fact, the OCR’s latest audit industry report found that only 14% of covered entities and 17% of business associates had a proper SRA in place. So if your practice falls into the large majority of those that aren’t up to these HIPAA standards, this OCR alert should give you even more reason to do so and a software solution like Abyde gives you all the tools and resources needed to get there.     

Why You Need a Business Associate Agreement
Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Comments Off on When & Why You Need a Business Associate Agreement

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.  Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.  As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:  Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.  A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

HIPAA Whistleblower Exception
Best Practices, HIPAA

What is the HIPAA Whistleblower Exception?

April 8, 2021 Comments Off on What is the HIPAA Whistleblower Exception?

April 8, 2021 Acting out a word or phrase in a game of charades is a perfect party activity but playing a guessing game isn’t as fun when it comes to reporting a work-related incident. Whether you’re taking part in a round of “Guess Who” or just following your practice’s policies and procedures, not everybody will play by the rules – and unfortunately, hackers and those outside your organization with malicious intent aren’t the only ones that pose a potential risk to your patients’ protected health information (PHI). It’s more common than you might think to see the biggest offenders of improper access and disclosure actually come from inside your organization. When and if you uncover an internal incident, knowing how to report the so-called rule-breaker without violating HIPAA yourself can feel like a major game of guesswork.  So what happens if you notice Sally Sue making copies of a patients’ health records for non work-related reasons? Or catch Doctor Dan improperly administering prescriptions to patients? Given how heavily privacy and security protections emphasize proper PHI disclosure, it’s not uncommon to be wary that reporting a HIPAA violation could actually implicate you in a violation yourself. But even if you’re a pro at charades, reporting an incident without giving away the nitty-gritty details to build the case is not easy and certainly not effective. So while HIPAA does establish privacy and security standards that prevent the release of PHI, there is a caveat (if specific criteria is met) for bringing light to malicious activity happening within the practice – a.k.a the HIPAA Whistleblower Exception.  What are the HIPAA whistleblower exception requirements?  Despite the name, ‘whistleblower exception’ has nothing to do with whistles and everything to do with protecting staff and patients from facing any backlash if they report any unlawful conduct within a practice. Under the exception, it is not considered a violation of the HIPAA Privacy Rule if a staff member or business associate discloses PHI, as long as they believe in good faith that either:  The exception is a two-part process and after determining whether the incident meets the requirements for what can be reported, the next move is knowing who you can and can’t actually make the disclosure to. We recommend first going to your HIPAA Compliance Officer (HCO) to help assist you in best handling the situation (as long as they aren’t involved in the incident themselves). But the whistleblower exception also provides additional provisions for whom the disclosure can be made to that include:  While we’d like to hope that everyone within your organization plays fair and square, in the case that you do happen to catch a coworker snooping through patient files – it’s important to know who you can disclose the incident to and that you can include specifics like the patient name and type of health record that was accessed. So if the requirements are met and followed properly, employees can safely report any non-compliant behavior without fearing that a HIPAA violation or termination letter will follow. Wondering whether or not you can take action to protect patients’ privacy and security should never be a guessing game and thanks to the provisions outlined in the HIPAA whistleblower exception, the cards are stacked in your favor.

HIPAA vs Online Reviews
Best Practices, HIPAA

HIPAA vs Online Reviews: A Primetime Matchup

March 18, 2021 Comments Off on HIPAA vs Online Reviews: A Primetime Matchup

March 18, 2021 Let’s face it, social media and the internet tend to call the plays when it comes to our decision-making. Whether you’re shopping for a new car or just deciding between tacos or pizza for dinner, seeing a one-star review pop up under your Google search is a total red flag. So, when 95% of patients say that online reviews are reliable and over 70% say that reviews have influence over their choice of physician – being on the receiving end of a bad review can feel like a total cheap shot.  There’s really no such thing as pleasing everyone – and as a practice owner, having to deal with some unhappy patients just kind of comes with the territory. Even all-star’s get the occasional “boo” from the crowd and seeing a patient post “100% would NOT recommend!!” about your practice can be a hard hit to recover from. As much as we all want to come to our own defense, choosing to fight back does a lot more damage than just taking the ‘L’ in the online face-off with a patient. Just take it from the dental practice who was slammed with a $10,000 fine for including sensitive patient information in their response to a Yelp review.  You might be thinking if someone submits a review about my practice aren’t they already admitting that they’re a patient themselves? Though you aren’t totally wrong, HIPAA law is in place to protect patients’ privacy – and a patient submitting a review is NOT authorization for you to go and release their sensitive information when responding. So, while there might not be a winning playbook for how to keep your patients happy, there are some guidelines for how to best handle online reviews: Since there’s no one-size-fits-all response for any and every online review, your practice may receive some feedback that seems a bit out-of-left-field, and knowing how to handle it might be tricky. So to give you some sideline practice, let’s pretend you just received this negative review:  “I had to wait over an hour to be seen and the doctor was rude and rushed through my appointment. Overall it was a terrible experience and I will not be back.”– Negative Nancy A bad response for your practice would be: “We’re sorry you had a bad experience during your appointment, however, our records show that you were late to your appointment which therefore caused a delay in your wait time.” A HIPAA-compliantresponse would be:  “Our practice’s scheduling policy allows for adequate time with the doctor in order to keep our appointments running on time. However, due to emergency situations, it is possible for us to run behind schedule occasionally. We appreciate your feedback and are committed to providing the best patient care; you’re always welcome to contact our office if you would like to discuss further.”  It’s pretty easy to see why response #1 would probably end up on Sportscenter’s Not Top 10 Plays of the Week – but unfortunately, we are seeing more and more real-life examples of practice comments similar to this one. With patient complaint numbers on the rise and proposed regulation updates centered around improving patient rights, the Office for Civil Rights (OCR) has definitely made it clear that they’ll be bringing their “A” game on HIPAA enforcement.  Online reviews (both good and bad) should be handled with extreme care not only to protect your practice’s reputation amongst prospective patients but also to avoid any flags thrown by the OCR. So, while we hope that you won’t have to go head-to-head with a one-star Google review anytime soon, following HIPAA best-practices when and if you do will be the ultimate game-changer.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X