HIPAA

HIPAA Culture of Compliance
Best Practices, HIPAA

A Culture of Compliance – Your Get Out of Jail Free Card

April 18, 2023 Comments Off on A Culture of Compliance – Your Get Out of Jail Free Card

April 18, 2023 Everyone wishes for the “Get Out of Jail Free” card in the game of Monopoly, so you can sell it and make money or free yourself from the slammer and continue your quest for wealth. But don’t you wish you had a card like this in real life so you could avoid paying a late fee, get out of an awkward situation, or get out of a speeding ticket? Imagine handing a police officer the card with your license and registration, I bet you would get a good chuckle! When it comes to healthcare compliance, demonstrating “good faith” could provide you with that much-needed “Get Out of Jail Free” card if you are investigated, audited, or are facing a violation. “Good faith” generally means that you have made a sincere and honest effort to comply with applicable laws, regulations, or standards pertaining to HIPAA and OSHA. So what do regulators look for when determining whether or not a practice has demonstrated “good faith”? First, you have implemented policies and procedures to include applicable forms or required logs. Next, staff has been trained in accordance with HIPAA and OSHA timeframes and requirements. And most importantly, whether or not you have completed a HIPAA Security Risk Analysis and OSHA Facility Risk Assessment that have identified risks, hazards, and mitigation efforts. While regulators may consider other factors, implementing a documented compliance program suggests you are committed to compliance and taking reasonable steps to protect your patients’ PHI and provide a safe and healthy workplace for staff. It is important to keep in mind “good faith” does not guarantee immunity from regulators. Every situation will have different mitigating factors, such as malicious intent or an identified hazard that went unmitigated. While you may be promoting a culture of compliance, ignoring the blatantly obvious could lead to you losing that “Get Out of Jail Free” card. Okay, how can you win at the HIPAA and OSHA compliance game? While it may be difficult to achieve compliance perfection, having a documented culture of compliance and, even more importantly, not letting your compliance program lapse will be key. These moves will show your “good faith” effort towards safeguarding patient information and employee safety and might even earn you the jackpot or a luxury Dark Blue property (IYKYK).

OCR HIPAA Telehealth COVID-19 Transition
HIPAA, Legislation

OCR Announces Transition Period for Compliance with HIPAA Rules for Telehealth

April 12, 2023 Comments Off on OCR Announces Transition Period for Compliance with HIPAA Rules for Telehealth

April 12, 2023 As of May 12, 2023, a 90-calendar day transition period will be in effect to provide covered healthcare providers with time to come into compliance with the HIPAA Rules in relation to their provision of telehealth. The transition period will expire on August 9, 2023, at 11:59 p.m. During this period, the OCR will continue to exercise its enforcement discretion. It will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules that occur in connection with the good faith provision of telehealth. The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency is available at: https://public-inspection.federalregister.gov/2023-07824.pdf – PDF. This notice marks the end of the enforcement discretion period that was put in place by the OCR to support the healthcare sector and the public in responding to the COVID-19 public health emergency. OCR Director Melanie Fontes Rainer has emphasized that the OCR is committed to supporting the use of telehealth by ensuring that healthcare providers can make the necessary changes to their operations privately and securely in compliance with HIPAA Rules. In addition to announcing the transition period, it’s worth noting that the OCR had previously issued four Notifications of Enforcement Discretion in the Federal Register regarding how the HIPAA Rules would be applied to certain violations during the COVID-19 nationwide public health emergency. These notifications and their effective beginning and end dates are: It’s important to note that these notifications will also expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency. The OCR will no longer exercise enforcement discretion for violations that occur after this date, which is why the transition period has been put in place to allow covered healthcare providers to make any necessary changes to their operations to ensure they comply with HIPAA Rules when providing telehealth services. Questions regarding HIPAA and OSHA Compliance, please email Abyde at info@abyde.com or call (800) 594-0883  

HHS Announces New Divisions Within the OCR
HIPAA, Legislation

HHS Announces New Divisions Within the OCR

March 14, 2023 Comments Off on HHS Announces New Divisions Within the OCR

March 14, 2023 EXTRA EXTRA READ ALL ABOUT IT!! The U.S. Department of Health and Human Services, through the Office for Civil Rights (OCR), announced the formation of a new Enforcement Division, Policy Division, and Strategic Planning Division. Why isn’t this front-page news? And why did the HHS need to form three new divisions? “OCR’s caseload has multiplied in recent years, increasing to over 51,000 complaints in 2022– an increase of 69 percent between 2017 and 2022,” said OCR Director Melanie Fontes Rainer. “…reorganization improves OCR’s ability to effectively respond to complaints, puts OCR in line with its peers’ structure, and moves OCR into the future.” The OCR will now reflect the structure set by the U.S. Department of Education’s Office for Civil Rights. The Strategic Planning Division will not only work to coordinate public outreach to protect civil rights and health information privacy. They will also expand data analytics and coordinate data collection across HHS leadership. With the OCR being proactive and educating the public on their rights, now would be the time to make sure you are being proactive with HIPAA. What is something to make sure you are staying compliant and one step ahead of the OCR?  How about your Security Risk Analysis or the “Crown Jewel” of the OCR as we like to call it. It’s the first thing the OCR asks for when they come knockin’. So why not beat them to the punch? You’ll identify and assess potential threats and vulnerabilities to protected health information (PHI), as well as evaluate the effectiveness of the organization’s security measures and policies. A HIPAA Security Risk Analysis is an ongoing process that must be regularly reviewed and updated to ensure that the organization remains in compliance. Guess what, here at Abyde we automate the entire process for you.  Extra, extra, HIPAA violations can result in severe consequences, including fines, legal action, and damage to a healthcare organization’s reputation. Therefore, it is critical for healthcare providers and organizations to prioritize HIPAA compliance and regularly review and update their policies and procedures to ensure they are in line with the latest regulations.

2023 OCR Annual HIPAA Reports
HIPAA

OCR Releases Annual HIPAA Compliance Reports

February 24, 2023 Comments Off on OCR Releases Annual HIPAA Compliance Reports

February 24, 2023 Believe it or not, the Office for Civil Rights kicked off NBA All-Star Weekend with their very own showcase of HIPAA enforcement’s latest and greatest. Last Friday the government released not one but two annual reports starring key HIPAA enforcement activities from 2021. While you probably won’t be seeing these reports featured on the next SportsCenter Top 10, the insights that they provide into recent healthcare data breaches and HIPAA noncompliance cases are certainly worthy of a highlight reel. So to give your practice some helpful pointers on how your compliance efforts should be focused, let’s break down the most important stats from each report:  OCR’s 2021 Report to Congress on HIPAA Privacy, Security and Breach Notification Rule Compliance   The biggest takeaway? Between 2017 and 2021, the OCR has seen a 39% increase in the number of HIPAA complaints received and in turn, has initiated 44% more compliance reviews. Meaning that not only are your patients paying more attention to non-compliance, but the government is too.  OCR’s 2021 Report to Congress on Breaches of Unsecured Protected Health Information  Now, what does all this data really mean? OCR Director, Melanie Fontes Rainer, made the intentions of these reports clear in her statement saying, “We will continue to provide guidance and technical assistance on compliance with the HIPAA Rules, as well as a vigorous enforcement program to address potential HIPAA violations.” Meaning that not only do each of those statistics provide eye-opening insight into what’s going on in the healthcare industry, but they help identify exactly what areas of compliance are too commonly overlooked. And when it comes to ensuring your practice has an all-star compliance line-up, here’s what the OCR identified as the top areas for needing improvement: So knowing what common compliance gaps exist and what a winning HIPAA program looks like, the ball is in your court. You wouldn’t put a rookie up against LeBron, and the findings from these reports are perfect examples of why you can’t go head-to-head with an evolving healthcare industry without having both compliance AND cybersecurity on your team.  

Arizona Cybersecurity HIPAA Fine
Cybersecurity, Fines, HIPAA

Big Fish, Big Fine

February 3, 2023 Comments Off on Big Fish, Big Fine

February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch!  Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information.  As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule.  Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.

Best Practices, HIPAA

Outsourced Doesn’t Mean Overlooked

January 26, 2023 Comments Off on Outsourced Doesn’t Mean Overlooked

January 26, 2023 We get it. The hiring market is tough out there right now and when your main goal is providing the best experience for your patients, you will do whatever it takes to build a strong team. But before you go sailing the high seas to find your next hire, you might want to make sure they’re paddling in the same direction.  Are you considering outsourcing job roles to agencies that employ individuals in other countries? A company’s location and where its employees are located doesn’t necessarily mean they are or are not HIPAA compliant. As a practice, you are responsible for checking the company’s policies and procedures of any company you hire to ensure that they comply with all relevant regulations. If an organization outsources any function that involves access to PHI, it must have a written contract with the Business Associate. Here are some questions we recommend asking prior to working with an outsourced company: Let’s make sure all eyes are on the same prize – HIPAA compliance. Still not sure if you’re asking the right questions? Give us a buzz and we will walk you through the most important processes and policies to follow.

Dental HIPAA Fines
Best Practices, HIPAA

Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 Comments Off on Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 You know the drill, no pun intended. The hygienist finishes a cleaning and hands the patient their goody bag full of all the fun things, including a toothbrush and dental floss. While this has become the norm for the practice and the patient, there is a good reason for it. Hygienists are taught to preach good oral hygiene, and it’s no secret that most patients that brush and floss regularly will experience better oral health and require less invasive treatment down the road.  But what about those patients who don’t follow the advice or over time fall out of best practice? Yes, we’re looking at you, guy who only flosses the night before their appointment. The patient is typically aware of their intermittent compliance but since they are asymptomatic, they continue hoping for the best and vow to do better after the next cleaning. Then as it usually does, life happens and they cancel their next cleaning. And with the best of intentions, they plan to reschedule but keep forgetting. Disease begins to take hold. If the patient is fortunate, they return to the office before the issue is too serious and it can be resolved with a relatively simple treatment plan. Those less fortunate may require more involved and expensive procedures. So you’re probably wondering by now, how does any of this tie back to Abyde, a healthcare software company? Well, we’ve brought in one of our Abyde Ambassadors to tie it all together.  Michael Wilgus shares his experience from the last 20 years in the industry. “Ironically, I have seen a similar scenario in hundreds of practices regarding HIPAA and OSHA compliance. A practice starts out with positive intent and implements what they believe is a strong and complete compliance program. Things get busy, there is turnover, and compliance gets pushed to the back burner. When violations or inspections occur (because they are not an if situation), they are usually due to a knowledge gap or are accidental, and may even be asymptomatic to the practice owner.”  With HIPAA, if an event is reported, the Office of Civil Rights (OCR) may choose to implement a corrective action plan (think treatment plan) for the practice. That plan can be expensive, time-consuming, and involve an OCR specialist monitoring your progress regularly for an extended period. The U.S. Department of Labor isn’t missing out on the fun either. They are actively ramping up their OSHA program by hiring more investigators and estimate their budget to increase by 14.7%, going from $612 Million in the fiscal year 2022 to $701 million in 2023. The average penalty levied on a dental practice in 2022 for a HIPAA violation was measured in the tens of thousands of dollars; one estimate shows it to be approximately $45,000. Sacrificing the net revenue from months’ worth of crowns is something most practices cannot afford. When it comes to OSHA, the punch-to-the-gut penalties are nothing to chuckle at. And let’s not forget the recent increase in these dollar amounts. Achieving and maintaining compliance when using services from Abyde takes less time than a patient should spend brushing and flossing, and if we can humble brag for a minute – we make it easy and fun! Brushing and flossing are not only good for your patients but are also good for your practice. Ready to get your practice’s compliance hygiene up to par?

January 2023 HIPAA Fine
Fines, HIPAA

With the first settlement announcement of 2023, OCR selects…

January 4, 2023 Comments Off on With the first settlement announcement of 2023, OCR selects…

January 4, 2023 We didn’t even make it through the first week of the new year before we saw the first settlement announcement. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a Georgia full-service diagnostic lab. The potential violation marks the 43rd associated with the HIPAA Right of Access Initiative to date. This is now the third Right of Access settlement we have seen in the last month.  The initial complaint was first filed back in August of 2021 when a personal representative was unable to obtain a copy of her deceased father’s medical records. While the lab finally complied in February of 2022, it took seven months for the requester to receive the records. The HIPAA right of access provision requires that patients be able to access their health information in a timely manner, typically within 30 days.  The lab has agreed to pay $16,500 and implement a corrective action plan to resolve this investigation. The corrective action plan includes two years of OCR monitoring. OCR Director, Melanie Fontes Rainer, shared her thoughts, “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.” While we all have the same goal in common – to provide the best experience for our customers and patients – that doesn’t always equate to direct care. Ensuring that their needs and requests are met is essential to the overall experience. From the first time they Google you all the way to a request for records, you are making an impression. And whether it’s the first impression or the last, don’t you want it to be a good one?

New Year HIPAA Compliance
Best Practices, HIPAA

NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 Comments Off on NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 The end of the year is right around the corner and while you’re enjoying the festivities with friends and family (we love a good holiday tradition!), you might already be thinking about New Year’s resolutions. And if you are, props to you for not being a procrastinator. We bet your goals for the year may include eating healthier and learning a new skill, but what about getting compliant? Ensuring your organization is HIPAA and OSHA compliant should be a top priority for every practice – and it’s an easy goal to check off your list! Here are some quick tips to help you start the new year off on the right foot:  Complete your annual Security Risk Analysis and Facility Risk Assessment  This should be your top priority as it is the first piece of documentation you will be asked for in the case of a HIPAA audit or OSHA investigation. The SRA sets a baseline for your organization by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Much like the SRA, the FRA is an assessment of your facility’s environment that will help to identify, minimize, and eliminate hazards in the workplace. Keep in mind that both the SRA and FRA must be documented and must be more than a generic checklist. They should provide you with actionable information and insights into all risks and hazards within your organization. Complete annual HIPAA and OSHA training All staff members including doctors and part-time employees must complete annual training. A best practice is to conduct training in a modular type format with a quiz at the end so you have documentation to prove that training has been completed. When it comes to OSHA training, each facility is different so you must incorporate site-specific training in order to address any site-specific hazards.  Update all Policies, Procedures, Programs, and Forms  This is a big one! Without proper documentation that accurately reflects all procedures within your organization, you are not considered to be compliant! If you have been using some templates you found online or have a dusty manual sitting on a shelf, this is your sign to trash it and update your policies to be practice-specific. Don’t forget to implement a plan to routinely review all policies with staff members so they are up-to-date with the latest information as well.  Get signed Business Associate Agreements  In order to be HIPAA compliant, run an inventory list of all vendors you work with that have access to Protected Health Information (PHI). Some examples would include your IT vendor, EHR/PM system, and encryption provider. Once you have gathered all vendor information, double-check that you have a signed Business Associate Agreement with them. If you do, great! If not, be sure to reach out to them right away. If you don’t have a BAA in place with every vendor then you run the risk of getting slapped with your own HIPAA fine if a breach occurs.  Update your Safety Data Sheets  When it comes to OSHA compliance, Safety Data Sheets are essential for tracking and managing any hazardous chemicals in the workplace. Make sure you have a Safety Data Sheet for any chemical which is known to be present in the workplace, in such a manner that employees may be exposed to it under normal conditions of use or in a foreseeable emergency. The big takeaway here – these MUST be readily accessible to all employees. If you do not have a safety data sheet for a particular chemical, you should contact the manufacturer to obtain one. And that’s it! If you follow these steps, there’s no doubt you will be in great shape when it comes to compliance. Still have questions or need help implementing a compliance program for your practice? Contact the experts (hey, that’s us!) at 800.594.0883 for all of your compliance goal-setting needs! While we might not be giving up Chick-fil-a, enrolling in a new gym, or even improving our culinary skills, our resolution always remains the same – make compliance the easiest part of running your practice.

Fines, HIPAA

A costly race against the clock

December 16, 2022 Comments Off on A costly race against the clock

December 16, 2022 On Thursday, the HHS Office for Civil Rights announced a settlement with a Florida primary care practice over a violation of the HIPAA Privacy Rule’s right of access provision. This marks the 42nd case under the Right of Access Initiative to date and the second settlement this week.  All the way back in mid-2019, a daughter, serving as personal representative, was attempting to retrieve her deceased father’s records. After multiple attempts, the practice failed to provide timely access. HIPAA’s right of access standard requires a covered entity to take action on an access request within 30 days of receipt. The practice exceeded that allotted time; the daughter received all requested records nearly five months after the initial request.  OCR Director, Melanie Fontes Rainer, stated, “The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously.”  The FL primary care practice has since paid its $20,000 fine to the OCR and is working to implement a Corrective Action Plan. The plan will be closely monitored over the next two years and includes updating, distributing, and training on all applicable policies and procedures.  In the age of immediacy, there is no exception when it comes to patient record requests. When a patient requests access to their records, prioritize their request. You have 30 days to take action or you could face not only an OCR investigation but a big fine – one we bet is not worth rearranging your priorities to put the patient first.

Are you sure you've got HIPAA covered? Get your compliance grade in 5 minutes.

TAKE THE CHALLENGE
X