HIPAA

Dental HIPAA Fines
Best Practices, HIPAA

Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 Comments Off on Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 You know the drill, no pun intended. The hygienist finishes a cleaning and hands the patient their goody bag full of all the fun things, including a toothbrush and dental floss. While this has become the norm for the practice and the patient, there is a good reason for it. Hygienists are taught to preach good oral hygiene, and it’s no secret that most patients that brush and floss regularly will experience better oral health and require less invasive treatment down the road.  But what about those patients who don’t follow the advice or over time fall out of best practice? Yes, we’re looking at you, guy who only flosses the night before their appointment. The patient is typically aware of their intermittent compliance but since they are asymptomatic, they continue hoping for the best and vow to do better after the next cleaning. Then as it usually does, life happens and they cancel their next cleaning. And with the best of intentions, they plan to reschedule but keep forgetting. Disease begins to take hold. If the patient is fortunate, they return to the office before the issue is too serious and it can be resolved with a relatively simple treatment plan. Those less fortunate may require more involved and expensive procedures. So you’re probably wondering by now, how does any of this tie back to Abyde, a healthcare software company? Well, we’ve brought in one of our Abyde Ambassadors to tie it all together.  Michael Wilgus shares his experience from the last 20 years in the industry. “Ironically, I have seen a similar scenario in hundreds of practices regarding HIPAA and OSHA compliance. A practice starts out with positive intent and implements what they believe is a strong and complete compliance program. Things get busy, there is turnover, and compliance gets pushed to the back burner. When violations or inspections occur (because they are not an if situation), they are usually due to a knowledge gap or are accidental, and may even be asymptomatic to the practice owner.”  With HIPAA, if an event is reported, the Office of Civil Rights (OCR) may choose to implement a corrective action plan (think treatment plan) for the practice. That plan can be expensive, time-consuming, and involve an OCR specialist monitoring your progress regularly for an extended period. The U.S. Department of Labor isn’t missing out on the fun either. They are actively ramping up their OSHA program by hiring more investigators and estimate their budget to increase by 14.7%, going from $612 Million in the fiscal year 2022 to $701 million in 2023. The average penalty levied on a dental practice in 2022 for a HIPAA violation was measured in the tens of thousands of dollars; one estimate shows it to be approximately $45,000. Sacrificing the net revenue from months’ worth of crowns is something most practices cannot afford. When it comes to OSHA, the punch-to-the-gut penalties are nothing to chuckle at. And let’s not forget the recent increase in these dollar amounts. Achieving and maintaining compliance when using services from Abyde takes less time than a patient should spend brushing and flossing, and if we can humble brag for a minute – we make it easy and fun! Brushing and flossing are not only good for your patients but are also good for your practice. Ready to get your practice’s compliance hygiene up to par?

January 2023 HIPAA Fine
Fines, HIPAA

With the first settlement announcement of 2023, OCR selects…

January 4, 2023 Comments Off on With the first settlement announcement of 2023, OCR selects…

January 4, 2023 We didn’t even make it through the first week of the new year before we saw the first settlement announcement. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a Georgia full-service diagnostic lab. The potential violation marks the 43rd associated with the HIPAA Right of Access Initiative to date. This is now the third Right of Access settlement we have seen in the last month.  The initial complaint was first filed back in August of 2021 when a personal representative was unable to obtain a copy of her deceased father’s medical records. While the lab finally complied in February of 2022, it took seven months for the requester to receive the records. The HIPAA right of access provision requires that patients be able to access their health information in a timely manner, typically within 30 days.  The lab has agreed to pay $16,500 and implement a corrective action plan to resolve this investigation. The corrective action plan includes two years of OCR monitoring. OCR Director, Melanie Fontes Rainer, shared her thoughts, “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.” While we all have the same goal in common – to provide the best experience for our customers and patients – that doesn’t always equate to direct care. Ensuring that their needs and requests are met is essential to the overall experience. From the first time they Google you all the way to a request for records, you are making an impression. And whether it’s the first impression or the last, don’t you want it to be a good one?

New Year HIPAA Compliance
Best Practices, HIPAA

NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 Comments Off on NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 The end of the year is right around the corner and while you’re enjoying the festivities with friends and family (we love a good holiday tradition!), you might already be thinking about New Year’s resolutions. And if you are, props to you for not being a procrastinator. We bet your goals for the year may include eating healthier and learning a new skill, but what about getting compliant? Ensuring your organization is HIPAA and OSHA compliant should be a top priority for every practice – and it’s an easy goal to check off your list! Here are some quick tips to help you start the new year off on the right foot:  Complete your annual Security Risk Analysis and Facility Risk Assessment  This should be your top priority as it is the first piece of documentation you will be asked for in the case of a HIPAA audit or OSHA investigation. The SRA sets a baseline for your organization by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Much like the SRA, the FRA is an assessment of your facility’s environment that will help to identify, minimize, and eliminate hazards in the workplace. Keep in mind that both the SRA and FRA must be documented and must be more than a generic checklist. They should provide you with actionable information and insights into all risks and hazards within your organization. Complete annual HIPAA and OSHA training All staff members including doctors and part-time employees must complete annual training. A best practice is to conduct training in a modular type format with a quiz at the end so you have documentation to prove that training has been completed. When it comes to OSHA training, each facility is different so you must incorporate site-specific training in order to address any site-specific hazards.  Update all Policies, Procedures, Programs, and Forms  This is a big one! Without proper documentation that accurately reflects all procedures within your organization, you are not considered to be compliant! If you have been using some templates you found online or have a dusty manual sitting on a shelf, this is your sign to trash it and update your policies to be practice-specific. Don’t forget to implement a plan to routinely review all policies with staff members so they are up-to-date with the latest information as well.  Get signed Business Associate Agreements  In order to be HIPAA compliant, run an inventory list of all vendors you work with that have access to Protected Health Information (PHI). Some examples would include your IT vendor, EHR/PM system, and encryption provider. Once you have gathered all vendor information, double-check that you have a signed Business Associate Agreement with them. If you do, great! If not, be sure to reach out to them right away. If you don’t have a BAA in place with every vendor then you run the risk of getting slapped with your own HIPAA fine if a breach occurs.  Update your Safety Data Sheets  When it comes to OSHA compliance, Safety Data Sheets are essential for tracking and managing any hazardous chemicals in the workplace. Make sure you have a Safety Data Sheet for any chemical which is known to be present in the workplace, in such a manner that employees may be exposed to it under normal conditions of use or in a foreseeable emergency. The big takeaway here – these MUST be readily accessible to all employees. If you do not have a safety data sheet for a particular chemical, you should contact the manufacturer to obtain one. And that’s it! If you follow these steps, there’s no doubt you will be in great shape when it comes to compliance. Still have questions or need help implementing a compliance program for your practice? Contact the experts (hey, that’s us!) at 800.594.0883 for all of your compliance goal-setting needs! While we might not be giving up Chick-fil-a, enrolling in a new gym, or even improving our culinary skills, our resolution always remains the same – make compliance the easiest part of running your practice.

Fines, HIPAA

A costly race against the clock

December 16, 2022 Comments Off on A costly race against the clock

December 16, 2022 On Thursday, the HHS Office for Civil Rights announced a settlement with a Florida primary care practice over a violation of the HIPAA Privacy Rule’s right of access provision. This marks the 42nd case under the Right of Access Initiative to date and the second settlement this week.  All the way back in mid-2019, a daughter, serving as personal representative, was attempting to retrieve her deceased father’s records. After multiple attempts, the practice failed to provide timely access. HIPAA’s right of access standard requires a covered entity to take action on an access request within 30 days of receipt. The practice exceeded that allotted time; the daughter received all requested records nearly five months after the initial request.  OCR Director, Melanie Fontes Rainer, stated, “The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously.”  The FL primary care practice has since paid its $20,000 fine to the OCR and is working to implement a Corrective Action Plan. The plan will be closely monitored over the next two years and includes updating, distributing, and training on all applicable policies and procedures.  In the age of immediacy, there is no exception when it comes to patient record requests. When a patient requests access to their records, prioritize their request. You have 30 days to take action or you could face not only an OCR investigation but a big fine – one we bet is not worth rearranging your priorities to put the patient first.

Corrective Action Plan Fine
Fines, HIPAA

Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 Comments Off on Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 On Wednesday, the HHS Office for Civil Rights announced a settlement with a California dental practice over impermissible disclosure of patient-protected health information (PHI). The practice faces potential violations of the HIPAA Privacy Rule by inappropriate use of social media to respond to patient reviews and disclosing protected health information.  OCR Director, Melanie Fontes Rainer, stated, “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.”  The practice faces a lofty fine of $23,000 and a Corrective Action Plan that will be monitored by the OCR for the next two years. Within the CAP, the practice is responsible for updating and maintaining all policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information. Additionally, all members of the staff must receive training within 30 days of the updated policies and procedures to comply with the Privacy Rule within 30 calendar days of the implementation of the policies and procedures.  This is the second offense for the same office in the last 5 years. In November 2017, the OCR received a complaint regarding impermissibly disclosed PHI in online review responses. The protected health information included patient names, treatment, and insurance information. Through the investigation, the OCR found other violations including failure to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.  As a word of advice from your HIPAA and compliance experts, review all PHI and Privacy Rule policies and procedures with any members of your staff that handle online reviews and social media responses. And while you’re at it, for those of you who may use a third party to handle reputation management, check those Business Associate Agreements, and remind them of our best practices.

Easy way to understand ePHI
Cybersecurity, HIPAA

Toothpaste, Baseball, and ePHI

December 2, 2022 Comments Off on Toothpaste, Baseball, and ePHI

December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards  OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data.  Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.”  Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk.  Let’s head around the bases to make sure you’re covering your bases.  Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI.  And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures.  A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated.  As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

HIPAA Internal Communication Dos and Don’ts
Best Practices, Cybersecurity, HIPAA

Internal Communication Dos and Don’ts

October 6, 2022 Comments Off on Internal Communication Dos and Don’ts

October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!  Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.  First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.  You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.  Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:  It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.  Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

2022 New Office for Civil Rights Director
HIPAA, Legislation

The Department of Health and Human Services Appoints Melanie Fontes Rainer as the New Office for Civil Rights Director

September 19, 2022 Comments Off on The Department of Health and Human Services Appoints Melanie Fontes Rainer as the New Office for Civil Rights Director

September 19, 2022 Did you check the news??? There’s a new sheriff in town and her name is Melanie Fontes Rainer! Recently announced, the Department of Health and Human Services (HHS) has appointed former Acting Director, Melanie Fontes Rainer, as the new Director of the Office for Civil Rights (OCR). Fontes Rainer has extensive experience in her career, serving as an Acting Director for the OCR and before that Counselor to Secretary Becerra.  Secretary Becerra stated, “Melanie has devoted her entire professional career to public service and has worked tirelessly to ensure that health care is accessible, affordable, and available to all, no matter where you live or who you are.” Fontes Rainer brings over 10 years of experience in civil rights, healthcare policy, and patient privacy. She was also involved in the 21st Century Cures Act, the Affordable Care Act, and the No Suprise Act. Fontes Rainer took part in ground-breaking settlements and created the first office that focused on health care rights and access in California. Melanie’s background, combined with her passion, will prepare her for the challenges she will face in her new role as OCR Director.  It is important to take into account that after Lisa J. Pino, former OCR Director, was appointed last year, we saw a surge in enforcement cases right away. Only a few months into Pino’s appointment as director, the OCR announced five Right of Access settlements in one day. This year we have already seen 17 including a record-breaking day with 11 settlements announced in just one day alone. With settlements totaling $1,992,140 already in 2022, the OCR clearly isn’t done yet. As we can see, between HIPAA violations, cybersecurity issues, and personal information privacy, practices continue to face challenges this year. But we can also see that Fontes Rainer is here to help, bringing years of expertise and fiery passion to the table. She enforces healthcare regulations, promotes healthy practice operations, and protects patient health information across the country. With years of dedication to civil rights and medical privacy, we can definitely expect to see a lot of settlements surfacing with Fontes Rainer in town.  

OCR Settles Case Concerning Improper Disposal of Protected Health Information
Fines, HIPAA

OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 Comments Off on OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X