HIPAA

HIPAA Extreme Risk Protection Orders
Best Practices, HIPAA, Legislation

HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 Comments Off on HHS Issues Guidance on HIPAA Disclosures for Extreme Risk Protection Orders

December 20, 2021 To combat HIPAA’s common misconception of acting as a barrier law, the Department of Health and Human Services (HHS) along with the Office for Civil Rights (OCR) has continued to emphasize that the law does not simply prohibit PHI disclosure altogether but rather permits the safe sharing of relevant information when necessary.  While we’ve recently seen information published in response to HIPAA’s role in a public health emergency and disclosure of vaccination status – just today the government issued guidance addressing another widely important concern. The latest announcement helps clarify how the HIPAA Privacy Rule permits covered health care providers to disclose protected health information (PHI) for the purpose of extreme risk protection orders (ERPO) and to prevent an individual in crisis from accessing firearms. This guidance follows suit with the U.S. Department of Justice’s model extreme risk protection order legislation and aims to support law enforcement, family members and others who intervene in an effort to prevent firearm injuries and deaths. The issued guidance speaks to HIPAA’s requirements in relation to ERPO laws, stating that the Privacy Rule does allow a health care provider to disclose PHI in support of an application for an ERPO against an individual in limited circumstances. HIPAA allows entities to share an individual’s PHI without authorization if they feel that the individual poses a danger to themselves or others, if the disclosure is required by law, or when the disclosure is in response to an order of a court or other lawful process. It details specific examples for each permission along with general considerations for meeting the Privacy Rule’s “minimum necessary” standard. This standard requires covered entities and business associates to make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the use or request. In response to the issued notice, recently appointed OCR Director, Lisa J. Pino states that, “HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis. Today’s guidance helps clarify legal requirements and to better support individuals in crisis.” This guidance is essential in not only improving the public’s safety but clarifying any confusion that could get in the way of doing that. “Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country,” said HHS Secretary Xavier Becerra. “Today’s guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing firearms.” HIPAA plays a key role in not only protecting the privacy and security of patients’ health information but permitting health care providers to intervene in a safe and appropriate matter if ever necessary. So when it comes to keeping your patients and your practice’s best interest at heart, understanding HIPAA law and following guidance such as the one released today, is vital.  

MIPS and HIPAA Compliance
Best Practices, HIPAA

The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 6, 2021 Comments Off on The Security Risk Analysis: Setting the Pace for MIPS and HIPAA Compliance

December 6, 2021 As a healthcare provider, tackling your daily to-do list probably feels like running a marathon without a finish line at times. You’re tasked with managing a successful business, keeping up with ever-changing legislation and new technology all the while having to ensure that your top priority of patient care never falls behind. But despite the challenging course, there’s a benefit to keeping pace with both quantity and quality. And thanks to Value-Based payment programs like MIPS and other government incentives like the HIPAA Safe Harbor Law, providers are rewarded for going the extra mile.  You’ve most likely heard of the Merit-based Incentive Payment System (MIPS) and might even be participating in it already. But whether it’s a Quality Payment Program or new legislation passed into law – the government is continually emphasizing the importance of being proactive rather than reactive and providing incentives for doing so. This is why there’s so much value in knowing what your organization is eligible to participate in (or using government lookup tools like this one if you don’t) and getting yourself on track to ensure that no money is being left on the table. Because many of these different program requirements fall right in line with the standards your practice already has to meet under HIPAA law – protecting your patients, checking off compliance requirements and receiving incentives can often be done all in one stride.  So, what exactly is MIPS?  To take a quick step back, MIPS is one of two payment tracks under the Medicare Quality Payment Program and is a system used by the Centers for Medicare and Medicaid Services (CMS) to measure eligible clinician performance and reward high-value, low-cost care. MIPS participants can receive a payment adjustment to their Medicare reimbursements based on their performance scores across four different categories being: Now achieving high scores in each of those categories requires some endurance but luckily, your organization can check several quality and interoperability objectives off just by utilizing a compliant and reputable EHR system. But before you can get to these different performance measures, there’s a prerequisite for even participating in the MIPS Promoting Interoperability performance category which also just happens to be a front-runner for achieving HIPAA compliance and taking advantage of other government incentives like the Safe Harbor Law – the Security Risk Analysis (SRA). The SRA is not only a requirement for MIPS participation but is also the first step in achieving a complete HIPAA compliance program. Conducting an SRA involves assessing any potential risks to your organization’s ePHI and implementing the necessary security updates and safeguards to mitigate whatever vulnerabilities were found. To fulfill MIPS and HIPAA law standards, your organization must complete an SRA annually at minimum and should continually review and update the analysis to address any changes in your technology or practice operations throughout the year.  In addition to being a necessary stride towards implementing a complete HIPAA compliance program and enabling your practice to participate in MIPS reimbursements, the SRA is also key in ensuring your patient’s sensitive health information is best protected. As the healthcare industry continues to emerge as a top target for data breaches – having the proper cybersecurity practices in place are essential. The government recognizes these additional hurdles that providers are faced with, and knows the importance of identifying and mitigating security risks within the organization before an incident occurs. This is exactly where the HIPAA Safe Harbor Law that we keep mentioning comes into play. The legislation passed in January of 2021, basically says that organizations can receive reduced HIPAA fines and penalties if they have the proper security measures in place – step number one being (you guessed it) a properly completed SRA.  But while it’s one thing to know why your organization should be meeting the requirement, it’s another to actually know what to do to get your practice off the starting blocks – and avoid the many misconceptions that might slow you down. Luckily a solution like Abyde makes conducting a thorough and accurate assessment of your organization a breeze. With dynamically generated questions to cover all the necessary safeguards and ongoing compliance assessments to ensure any identified risks are mitigated – you can feel confident that your organization is covered.  Even though throwing in the SRA to your already jam-packed to-do list might seem like adding miles to the track, with Abyde you can score your best time and complete this key requirement in just a few clicks of a mouse and only 20-minutes a month. So while your marathon of responsibilities might go the distance – with the close of 2021 right around the corner, the only way to get your organization across the finish line and meet HIPAA and MIPS requirements is to have a properly completed Security Risk Analysis in place.

5 HIPAA Right of Access Violations
Fines, HIPAA

OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 Comments Off on OCR Settles 5 HIPAA Right of Access Violations

December 1, 2021 In celebration of ‘Giving Tuesday’ this year, the Office for Civil Rights (OCR) came bearing gifts by the handful (literally) – announcing five separate HIPAA Right of Access violations all in one day. Now you might be thinking that this sounds like a historic first for same-day settlements, but just last September, the OCR made a similar five-violation announcement. The latest enforcement brings the Right of Access settlement total to 25 and dollars collected to $1,505,650 since the government announced their enforcement initiative back in 2019. And while the not-so-lucky receivers of the government’s “gifts” range by size, specialty, and location – failing to ensure individuals’ right to timely medical record access is one thing that all of these practices share. Wake Health Medical Group The first of five settlements went to a primary care provider out of North Carolina, who agreed to a $10,000 fine and corrective action plan to resolve their violation of the HIPAA Privacy Rules’ Right of Access standard.   Denver Retina Center Violation number two was given to a Denver-based ophthalmologist and included a $30,000 settlement and one-year corrective action plan as a result of their potential HIPAA Right of Access violations. Advanced Spine & Pain Management (ASPM) The third settlement was gifted to a provider of management and treatment of chronic pain services out of Ohio, whose Privacy Rule violations landed them with a $32,150 fine and corrective action plan consisting of two years of monitoring. Rainrock Treatment Center, LLC (dba Monte Nido Rainrock) Violation number four went to a licensed eating disorder treatment provider out of Oregon who agreed to pay $160,000 and participate in a year-long corrective action plan to settle their HIPAA violations.   Dr. Robert Glaser And last but certainly not least, the fifth settlement came as a result of not only failing to provide a patient with a copy of their medical records but also lacking cooperation with the OCR. The New York-based internal medicine and cardiovascular disease specialist ignored the OCR’s data requests and waived their rights to a hearing, leaving them with a civil money penalty of $100,000. In addition to the settlement announcement, the recently appointed OCR Director, Lisa J. Pino issued a statement in response: “Timely access to your health records is a powerful tool in staying healthy, patient privacy and it is your right under law. OCR will continue its enforcement actions by holding covered entities responsible for their HIPAA compliance and pursue civil money penalties for violations that are not addressed.”  While these gifts might not have come wrapped in a bow, they did bring along a trending theme that we encourage all providers to do some unpacking themselves. Noncompliance with the HIPAA Right of Access standard continues to prove itself as a widespread gap that the OCR is committed to enforcing. So even though we might have to wait until next November to celebrate another “Giving Tuesday” – getting your organization HIPAA compliant and meeting all government requirements – including Patient Right of Access – is the year-round gift that keeps on giving so you can avoid making the next OCR settlement list.

HIPAA Right of Access Initiative Fine
Fines, HIPAA

OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 Comments Off on OCR Announces 20th HIPAA Right of Access Settlement

September 10, 2021 There might not be such thing as time travel but with the latest HIPAA settlement announcement, it’s looking like the Office for Civil Rights (OCR) has traveled back to their own version of the Roaring ‘20s. Two years, and now twenty resolutions later, the government initiative to support individuals’ right to timely record access has driven its own little economic boom – with the 20th financial penalty bringing the right of access running total to $1,173,500.  Children’s Hospital & Medical Center (CHMC) became the most recent healthcare organization to settle with the OCR, with a fine of $80,000 and requirement to adopt a corrective action plan that involves one year of government monitoring. But while the Nebraska-based pediatric provider probably isn’t too jazzed about the repercussions, the penalty comes as a result of an equally unhappy individual who was not provided the proper access that HIPAA strives to ensure. The issue was brought to the OCR’s attention back in May of 2020 after a parent filed a complaint alleging that CHMC failed to provide full access to her late daughter’s medical records. The complaint stated that while the organization fulfilled a portion of the request, CHMC failed to provide all of the requested records despite the parent’s several follow-up requests. The delay was in part due to the remainder of the requested records being needed to obtain from a different CHMC division but it wasn’t until after the OCR’s investigation that full access was provided. In addition to the resolution agreement, Acting OCR Director, Robinsue Frohboese released in a statement, “Generally, HIPAA requires covered entities to give parents timely access to their minor children’s medical records, when the parent is the child’s personal representative. OCR’s Right of Access Initiative supports patients’ and personal representatives’ fundamental right to their health information and underscores the importance of all covered entities’ compliance with this essential right.”  While this settlement shares plenty of similarities with the 19 other examples of noncompliance that we have seen since the enforcement initiative started, it’s important to note the fact that this $80,000 fine was the result of just one patient complaint. And though the Roaring ’20s might’ve been a relatively short-lived era, proposed updates to the HIPAA Privacy Rule and expansions to the OCR budget are enough to predict that the right of access enforcement initiative isn’t going anywhere, anytime soon. So with the latest settlement serving as the perfect example of just how much damage a single HIPAA complaint can have on a healthcare organization – ensuring you’re fulfilling all medical record requests in a timely and HIPAA-compliant manner is essential to avoid becoming lucky settlement number 21.

The Cost of a HIPAA Violation
Fines, HIPAA

The Cost of a HIPAA Violation

September 3, 2021 Comments Off on The Cost of a HIPAA Violation

September 3, 2021 We’ve all seen enough news headlines to know that the going rate for a HIPAA violation isn’t cheap. This past year has tallied up more than a handful of fines with numbers that might not have Jeff Bezos doing a double-take, but certainly have us seeing dollar signs. Not to mention that the first fine of 2021 brought in $5.1 million alone. And although not every HIPAA violation warrants front-page news status, even the minimum fine amount can do some major damage – especially when it’s a small, independent practice footing the bill.  So if you’re looking for an exact dollar amount, to date the Office for Civil Rights (OCR) has collected on 101 settlements to the tune of $135,328,482. We all know that a check that size doesn’t just add up without reason but what caused it to accumulate and why so high? Well back when HIPAA law was first introduced in 1996, the hope was to establish a set of standards to protect sensitive health information in the medical industry. But as the later published Privacy and Security Rules provided a laundry list of requirements for covered entities to follow, many failed to fully comply. So in 2006, the government came up with a solution and that’s where the HIPAA Enforcement Rule was born. It was this ruling that essentially started the tab on that billion-dollar bill, granting the OCR the right to hold covered entities and their business associates accountable with fines and other penalties for noncompliance.  Now just as the repercussions for speeding are understandably different than they are for a case of highway robbery, HIPAA fines also come with a “prices may vary” label attached. Each penalty is determined based on the extent to which the organization was aware that HIPAA rules were being violated and is broken down into the following four tiers: If you were wondering, that “per incident” statement is the reason why we see those multi-million dollar fines – and what comes with HIPAA’s many different rules is a lot of different ways to break them. But it’s not just the monetary penalties that violators have to worry about. HIPAA settlements are usually a package deal including a corrective action plan that typically involves anywhere from two to three years of OCR monitoring. And if hefty fines and the government breathing down your back aren’t enough to prove just how costly violations can be – in the case that the HHS decides that there was deliberate malicious intent, the Department of Justice can step in and also assign criminal penalties with maximum jail time of 10 years. We know that the mention of hefty fines and possible jail time definitely puts a damper on things, but with every “bad news” there’s typically good to follow. So the good news is there are ways to help avoid these worst-case scenarios, and recently passed legislation like the Safe Harbor Law to protect against incidents like data breaches that aren’t as easily avoidable. But the best protection? Having a full understanding of your organization’s responsibilities and a complete HIPAA compliance program to check all the governments’ boxes. Because after all – with how high the cost of a violation can be, you can’t put a price tag on the peace of mind that comes with being compliant.  

Security Risk Analysis Misconceptions
Best Practices, HIPAA

The Security Risk Analysis and its Many Misconceptions

August 13, 2021 Comments Off on The Security Risk Analysis and its Many Misconceptions

August 13, 2021 HIPAA is kind of like a puzzle – without having each and every individual requirement in place, your practice can’t consider itself fully compliant. But much like building a jigsaw blindfolded, it’s a lot harder to piece together the big picture of compliance with all of the misconceptions out there masking what HIPAA’s requirements actually entail.  Now, the first piece in this so-called “HIPAA puzzle” is the Security Risk Analysis (SRA) which requires all covered entities to assess any potential risks and vulnerabilities to protected health information (PHI) based on the physical, technical, and administrative safeguards that their organization has in place. It’s essentially just a self-evaluation that helps lay the groundwork for a complete HIPAA program AND is the first thing a practice will be asked to provide in the case of an audit. But despite its importance, only 14% of entities actually fulfill the requirement – so what is causing this lack of compliance and why does the SRA seem like an unsolvable puzzle in itself? A large piece of the widespread noncompliance is all of the confusion that surrounds the ‘what, why, and how’ of the SRA. This is why in order to ensure all organizations know how to complete the first part of the big HIPAA puzzle, we need to break down the myths vs the facts.  Myth #1: Small practices and independent providers don’t need to worry about the SRA. False: All providers, no matter the size or specialty, are covered entities under HIPAA and are therefore obligated to perform a risk analysis along with all other requirements under HIPAA law. Myth #2: My Electronic Health Record (EHR) takes care of privacy and security, so I don’t need to complete an SRA. False: Even with a certified EHR, the risk analysis isn’t completed for you. The EHR vendor may provide information and training on the privacy and security aspects of their product but they are not responsible for privacy and security compliance within your practice. Additionally, an SRA involves all PHI within your organization, including what isn’t housed in your EHR like paper records and files.   Myth #3: My IT company handles a full SRA.  False: Similar to the confusion around your organization’s EHR, IT companies might help to assess technical safeguards and identify technical risks – but do not provide a comprehensive analysis of all aspects of your organization to cover the administrative and physical requirements.  Myth #4: I can use a templated checklist to complete my SRA.  False: While the government does provide some tools that can be used as helpful guidance for conducting an SRA, in order for the analysis to meet the requirements it must assess specific elements of your organization and practice operations which may differ from the types of things assessed in a template or generic checklist.  Myth #5: The SRA is a one-time thing and as long as I completed it once, I’m good to go! False: The HIPAA Security Rule specifically states, “the risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” But although, your organization does need to be conducting an SRA on a continual basis – this doesn’t mean that each year you’ll need to start over from scratch. It’s important (and required) that you update your SRA annually at the very least as well as any time there are changes to your practice or systems to identify any changes in risks and maintain the necessary safeguards within your organization.  While we hope our little game of “myth busters” helped clarify any confusion around what goes into completing this requirement and why it’s so important, we know that it might’ve also caused some concern for how a small, independent practice is supposed to tackle all of this alone. Completing a comprehensive analysis (on an ongoing basis) along with the proper documentation and risk mitigation that’s required involves time, resources, and expertise that might seem unfeasible to a small or medium-sized organization. But luckily there are outside resources available to help debunk the other misconception that completing an SRA HAS to be challenging. So while your practice can tackle this requirement DIY-style, a software solution like Abyde makes it so you don’t have to – providing all the tools and support to guide you through the misconceptions and help to put the pieces into place so that your practice can easily complete the puzzle of HIPAA compliance. Schedule a one-on-one consultation today to see where your practice currently stands and how Abyde makes meeting the SRA – and all other HIPAA requirements – a breeze!

Controlling Access to Your ePHI
Cybersecurity, HIPAA

How Are You Controlling Access to Your ePHI?

July 22, 2021 Comments Off on How Are You Controlling Access to Your ePHI?

July 22, 2021 While there might not be such a thing as a real-life fairy godmother, technology has granted us the power to access a whole world of information with just a click of a mouse. Anything from research, shopping, to chatting with friends is now so simple it almost seems like magic, but this “instant-access” ability is a double-edged sword when it comes to the privacy and security risks that follow in its reign. Now if there’s one industry that truly feels the weight of technologies twofold, it’s healthcare. While sharing, receiving, and storing electronic protected health information (ePHI) is now easier than it ever was before, the heightened number of healthcare data breaches and cyber attacks seen over recent years have identified the ‘Achilles’ heel’ of technology’s power of accessibility. This ongoing battle between ease of access and security risks has been the topic of several Office for Civil Rights (OCR) alerts shared over the past year, and most recently, the main focus of their Summer 2021 Cybersecurity Newsletter.  The newsletter titled “Controlling Access to ePHI: For Whose Eyes Only?” highlights a recent report that found that “61% of analyzed data breaches in the healthcare sector were perpetrated by external threat actors.” So while most healthcare organizations know not to go and give the keys of the castle away to just anyone, technology has made access a possibility for really anyone who has a decent internet connection. But the even more striking statistic featured in the newsletter? It’s not just hackers that you have to worry about, the security incident report also uncovered that 39% of those data breaches were actually committed by insiders. Though most fairy-tales feature an evil villain, these insider breaches aren’t always the result of a malicious act. In addition to the multi-million dollar hacking schemes that we see all too often, are stories of staff impermissibly accessing ePHI or leaving sensitive data unattended. So if you’re wondering how you can best protect your practice, the answer is to have the proper authorization policies, procedures, and controls in place.    When it comes to those necessary policies and controls, the HIPAA Security Rule identifies certain standards and specifications that healthcare organizations are required to implement. The two standards, Information Access Management and Access Control, are administrative and technical safeguards that work in tandem to protect and secure ePHI – but what exactly do they entail? Information Access Management This standard essentially defines how access to ePHI is authorized and requires HIPAA-covered entities and business associates to implement policies and procedures regarding information access. So, what do some of these specific policies include? Access Control In addition to the administrative requirement for access management, Access Control is a technical safeguard that actually limits the availability of that ePHI based on the organizations’ Information Access Management policy. The OCR’s newsletter describes the necessary controls to coincide with the “flexible, scalable, and technology-neutral nature of the Security Rule” and provides a wide range of control mechanisms for organizations to consider and implement where they see fit. They also provide four implementation specifications which include: So as complementary requirements of the HIPAA Security Rule, your organization is expected to have these standards in place to best prevent both outsider and insider threats. And while it would be nice if you could just have a knight in shining armor there to guard your practice from cyber threats and impermissible ePHI access – implementing the safeguards provided above, and ensuring all staff members are trained on proper access, is the next best thing.

Proposed 2022 HHS Budget
HIPAA, Legislation

What the Proposed 2022 HHS Budget Says About the Future of HIPAA & Cybersecurity

July 15, 2021 Comments Off on What the Proposed 2022 HHS Budget Says About the Future of HIPAA & Cybersecurity

July 15, 2021 HIPAA compliance has seemed to be on the government’s radar more than ever before. In just the past year, we’ve seen record-breaking Office for Civil Rights (OCR) enforcement, proposed Privacy Rule updates and the implementation of the HIPAA Safe Harbor Law and the 21st Century Cures Act – two new sets of legislation centered around healthcare, technology, and patient rights. So with the spotlight set on protecting the privacy and security of health data during a time where reliance on technology is especially prevalent – it should come as no surprise that the government’s newly proposed budget features a heavy focus and increase in funding for this area specifically.  What’s in the proposed budget?  The Biden Administration recently released their proposed 2022 budget for the Department of Health and Human Services (HHS) in early June. The proposal calls for additional spending to better protect the healthcare industry from evolving cyber threats and support government efforts in enforcing compliance among covered entities. So exactly how much of a budget increase are they requesting and what does that tell us about the future of HIPAA compliance? While those dollar figures are already a good indicator of where we can expect the government to continue its focus – ensuring that patients’ health data is properly protected goes beyond those hefty price tags. Fiscal 2022 proposed budget also seeks to add 39 staff members to the OCR, bringing the employment total to 229, and acknowledges that the “OCR will engage in rulemaking to further strengthen individuals’ rights to access their own health information, improve information sharing for care coordination and case management and reduce administrative burdens.” So just as recent enforcement numbers have proven the governments’ awareness of noncompliance and influx of cyberthreats has shed light on a lack of proper security protections amongst healthcare providers – this proposed budget provides a ‘crystal-ball’ prediction of what we can expect to see moving forward. Adding in millions of dollars to the budget and expanding the task force in these relevant government agencies will produce even more resources available to ensure all covered entities are best protecting health data privacy and security. And although the new budget is not finalized as of yet, the upcoming changes to the Privacy Rule and commitment outlined within the proposal to improve upon government rulemaking is a clear sign that their emphasis on HIPAA and other health IT-related laws is not going away anytime soon.  What does this mean for you?  First off, meeting HIPAA and cybersecurity requirements is essential to protecting your practice and your patients from a data breach or HIPAA violation. While these are certainly things that should be prioritized regardless of the government’s spending plans, the proposal creates even more urgency in ensuring that you have these necessary safeguards in place. So as the government continues to hone in their focus on health data privacy and security, your practice should too – and having a complete compliance AND security program is the perfect place to start.

Privacy Rule Proposed Modifications
HIPAA, Legislation

Privacy Rule Proposed Modifications | Public Comments Released

July 8, 2021 Comments Off on Privacy Rule Proposed Modifications | Public Comments Released

July 8, 2021 Remember those Privacy Rule modifications that the Department of Health and Human Services (HHS) proposed late last year? Well, after adding a 45-day extension on the public comment period back in March, the responses submitted have finally been made available – giving us some additional insight on what we can expect to see when the updates are officially finalized.   For anyone looking for a light-read while they drink their morning coffee – diving into the official HHS document might not be for you. The proposal included a lengthy list of changes centered around increasing permissible disclosures of protected health information (PHI) and enhancing care coordination and case management. As the healthcare industry has evolved, so have the necessary requirements for protecting data privacy and security – and these modifications address several issues that have become the source of widespread non-compliance over recent years. One of the major areas of focus should come as no surprise considering the initiative that was declared in 2019 to enhance enforcement for patient right of access violations – and the 19 different settlements that have resulted from it so far. So in looking at how the Privacy Rule changes plan to improve this issue, some of the major proposed provisions include: In addition to addressing patients’ right of access, the proposed modifications also clarify certain definitions and phrasing that oftentimes leads to confusion and misunderstanding by providers and patients. Some of these updates include: While the examples provided are only a snapshot of the full list of proposed modifications, each update follows suit with the evolving environment in the healthcare industry and covers relevant concerns felt by both providers and patients. So much so, that the comment period extension was made due to such a “high degree of public interest” and amounted to a total of 1,391 comments submitted in response to the HHS’s proposal.  So what can we expect?  These proposed modifications take into consideration the public comments received on the OCR’s 2018 RFI that requested public input on how HIPAA rules could improve to better “support care coordination and case management and promote value-based care while preserving the privacy and security of PHI.” Each provision is a direct reflection of the key themes identified in the public opinion received back in 2018 and addresses issues like administrative burdens and the need for improving upon patient rights. So although we don’t have a time machine to jump ahead and see what exactly the final rule will entail, we can pretty confidently say that these concerns addressed in the HHS document will continue to be a focus in regulatory amendments and government enforcement. And the high volume of public interest clearly depicts the impact and value that enacting these changes will have on patients and providers. When will you need to comply  As far as knowing the what and when of the final ruling – we don’t quite have a definitive answer. But it’s important for all covered entities to be aware and prepared for the expectations of complying with the modified Privacy Rule provisions when they are made official. According to the HHS, “The effective date of a final rule would be 60 days after publication.” Additionally, entities will still have 180 days from that effective date to update or implement policies and procedures to achieve compliance with these new standards.  So when it comes to the timeframe for when the government will actually start enforcing the new compliance standards, you have 240 days of breathing room once the final rule is published. BUT based on the HHS’s acknowledgment that the impact of adhering to these new guidelines will involve “covered entities actions to re-train their employees on, and adopt policies and procedures to implement, the legal requirements of this proposed rule” we highly recommend taking an ‘early bird gets the worm’ approach for compliance. Having a complete HIPAA program in place along with a full understanding of the potential changes that could be coming your way is the best way to ensure that your patients’ data is best protected and your practice is best prepared for avoiding a HIPAA violation and fine.

HIPAA Policies & Procedures
Best Practices, HIPAA

Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Comments Off on Your Organizations’ HIPAA Rulebook: Policies & Procedures

June 21, 2021 Imagine if each sport didn’t have its own set of rules – we’d have baseball players tackling each other in the outfield and hockey players kicking the puck down the ice in front of a stadium full of confused fans with not a clue as to what they’re supposed to be cheering for. These unique sets of guidelines tailored specifically to each sport enable athletes to excel and spectators to appreciate what they’re watching. Without them, the games wouldn’t make much sense. So while the excitement of HIPAA is nowhere near anything you might find in a sports arena, having a rulebook specific to your organization is essential to ensuring patients’ sensitive information is being handled properly and HIPAA requirements are being upheld. HIPAA law came into play back in 1996 to set a national standard for how protected health information (PHI) should be handled and protected. Part of its requirements include the implementation of reasonable and appropriate policies to comply with these standards, but what exactly does reasonable and appropriate mean? Essentially, your organization is required to have policies and procedures in place to set expectations for how PHI should be handled as well as guide daily work operations and ensure consistency in patient care. But just as the specific rules differ for a game of football versus tennis, a small eye care facility has different expectations and work operations than a large hospital would – and therefore requires its own unique HIPAA rulebook.  What Do These Documents Include? For any HIPAA fanatics out there, you might already be familiar with the Security Rule’s provisions around the administrative, technical and physical safeguards necessary for protecting PHI which cover a wide range of requirements like completing a Security Risk Analysis (SRA), implementing facility access controls and maintaining up to date asset logs. So in looking at the documentation requirements, your policies should outline these required safeguards as well as the standard procedures for your organization to implement these protections. While the full list of documents and their included content will vary based on your organization’s size and specialty – there are some must-have elements that each rulebook should contain, including:  How Should These Policies & Procedures be Implemented? While the list provided above is definitely extensive and probably brings along an image of an overflowing HIPAA manual, it’s only a sample size of all the policies and procedures that your organization could potentially need to implement. And while yes, you can find templates for the majority of these policies online and even some directly on the HHS website, they lack an especially important element to the HIPAA requirement – customization. The latest HIPAA Industry Audit Report uncovered widespread non-compliance for the policy and procedure requirement – a major red flag being the common usage of “template policy manuals that contain no evidence of entity-specific review or revision and no evidence of implementation” (their words not ours). This lack of entity-specific evidence came as a result of organizations not including details like their practice name and HIPAA Compliance Officer (HCO) contact information within each policy document – which are important elements of actually fulfilling this requirement. In addition to providing specific details about your organization itself, another piece to the “customization” requirement is taking into consideration certain state laws that might take precedence over HIPAA. It’s important to ensure that policies including things like breach reporting and responding to record requests meet the most stringent timeframes and requirements that apply to where your facility is located. So in order to meet this important HIPAA standard, the ball is truly in your court. As new opponents like legislative changes, technology advancements, and evolving patient needs require adjustments in your organizations’ operations – your policies and procedures must reflect these updates accordingly. But having the proper documentation and specific content included isn’t all that’s needed to make the cut. Providing employee training on a continual basis is essential to getting staff members up to speed on how they should be running the plays and ensuring that PHI is being handled correctly within your practice. So when it comes to developing a winning HIPAA strategy, having a comprehensive set of properly documented policies and procedures that are understood and followed by everyone within the organization is the best way to stay in the HIPAA compliance game.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X