HIPAA

Corrective Action Plan Fine
Fines, HIPAA

Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 Comments Off on Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 On Wednesday, the HHS Office for Civil Rights announced a settlement with a California dental practice over impermissible disclosure of patient-protected health information (PHI). The practice faces potential violations of the HIPAA Privacy Rule by inappropriate use of social media to respond to patient reviews and disclosing protected health information.  OCR Director, Melanie Fontes Rainer, stated, “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.”  The practice faces a lofty fine of $23,000 and a Corrective Action Plan that will be monitored by the OCR for the next two years. Within the CAP, the practice is responsible for updating and maintaining all policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information. Additionally, all members of the staff must receive training within 30 days of the updated policies and procedures to comply with the Privacy Rule within 30 calendar days of the implementation of the policies and procedures.  This is the second offense for the same office in the last 5 years. In November 2017, the OCR received a complaint regarding impermissibly disclosed PHI in online review responses. The protected health information included patient names, treatment, and insurance information. Through the investigation, the OCR found other violations including failure to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.  As a word of advice from your HIPAA and compliance experts, review all PHI and Privacy Rule policies and procedures with any members of your staff that handle online reviews and social media responses. And while you’re at it, for those of you who may use a third party to handle reputation management, check those Business Associate Agreements, and remind them of our best practices.

Easy way to understand ePHI
Cybersecurity, HIPAA

Toothpaste, Baseball, and ePHI

December 2, 2022 Comments Off on Toothpaste, Baseball, and ePHI

December 2, 2022 Covered entities and business associates, like healthcare providers, that use online tracking technology should be aware of their ePHI management to HIPAA standards  OCR Recently Released a Bulletin Outlining the Proper Use of Tracking Tech in Accordance with HIPAA Compliance Have you ever talked about being out of toothpaste at work, and then when you get home there’s an ad for Colgate on your tablet as you decide what to order for dinner? It’s creepy, but it’s efficient. You’ve been targeted and the Colgate marketing department is doing its job. In this example, the transmission of your tracked demographics and shopping habits is not as sensitive as the transmission of your patient’s data.  Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin regarding the correlation between sharing electronic protected health information (ePHI) and online tracking technology. While we aren’t experts in targeted advertising, we are HIPAA experts. There are rules that apply to regulated entities, like you, when collecting information through tracking technologies or disclosing ePHI to vendors you may be working with. The OCR put it plainly, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA rules.”  Do you know if your PHI is being captured through online tracking? Are you monitoring what patient data is being shared with third-party vendors? Even more important, do you use Google Analytics or Meta Pixel – if so, you might want to listen up. Whether you set this tracking up yourself or a third-party agency did, without permissible disclosures from your patients, if their ePHI is shared through the tracking technology, you are putting your practice and patients at risk.  Let’s head around the bases to make sure you’re covering your bases.  Nice base hit – you made it to first. The first thing you can do is ensure you have Business Associate Agreements (BAA) in place with all third-party vendors, especially those who create, maintain, or receive ePHI. While you’re cross-checking if your vendors meet the definition of a business associate, make sure your agreements denote the permitted use case for ePHI.  And the crowd goes wild – way to steal second. Before you think well I’ll just ask the vendor to delete any protected data before they use or save it, that’s not going to cut it. Per the OCR, “Any disclosure of PHI to the vendor without individuals’ authorizations…requires that there is an applicable Privacy Rule permission for disclosure.” Through the Privacy Rule, patients are empowered to have more control over their health information to access and make any changes as needed and boundaries are set on the use and release of health records, including the minimum necessary standard for information disclosures.  A bunt from your teammate gets you over to third – nice work! Before we round out to home, ask yourself if the risk is worth the reward. And if you’re still unsure, check in with your Security Risk Analysis and scorecard – another benefit to Abyde’s ongoing compliance. We work with you to identify the potential risk and exposure associated.  As we make our way to home base, we will summarize with this: if ePHI is involved in any of the data the tracking technology is sharing, HIPAA rules need to be followed. Here are the final words from the OCR, “all disclosures of PHI to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.”

HIPAA Internal Communication Dos and Don’ts
Best Practices, Cybersecurity, HIPAA

Internal Communication Dos and Don’ts

October 6, 2022 Comments Off on Internal Communication Dos and Don’ts

October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!  Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.  First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.  You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.  Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:  It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.  Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

2022 New Office for Civil Rights Director
HIPAA, Legislation

The Department of Health and Human Services Appoints Melanie Fontes Rainer as the New Office for Civil Rights Director

September 19, 2022 Comments Off on The Department of Health and Human Services Appoints Melanie Fontes Rainer as the New Office for Civil Rights Director

September 19, 2022 Did you check the news??? There’s a new sheriff in town and her name is Melanie Fontes Rainer! Recently announced, the Department of Health and Human Services (HHS) has appointed former Acting Director, Melanie Fontes Rainer, as the new Director of the Office for Civil Rights (OCR). Fontes Rainer has extensive experience in her career, serving as an Acting Director for the OCR and before that Counselor to Secretary Becerra.  Secretary Becerra stated, “Melanie has devoted her entire professional career to public service and has worked tirelessly to ensure that health care is accessible, affordable, and available to all, no matter where you live or who you are.” Fontes Rainer brings over 10 years of experience in civil rights, healthcare policy, and patient privacy. She was also involved in the 21st Century Cures Act, the Affordable Care Act, and the No Suprise Act. Fontes Rainer took part in ground-breaking settlements and created the first office that focused on health care rights and access in California. Melanie’s background, combined with her passion, will prepare her for the challenges she will face in her new role as OCR Director.  It is important to take into account that after Lisa J. Pino, former OCR Director, was appointed last year, we saw a surge in enforcement cases right away. Only a few months into Pino’s appointment as director, the OCR announced five Right of Access settlements in one day. This year we have already seen 17 including a record-breaking day with 11 settlements announced in just one day alone. With settlements totaling $1,992,140 already in 2022, the OCR clearly isn’t done yet. As we can see, between HIPAA violations, cybersecurity issues, and personal information privacy, practices continue to face challenges this year. But we can also see that Fontes Rainer is here to help, bringing years of expertise and fiery passion to the table. She enforces healthcare regulations, promotes healthy practice operations, and protects patient health information across the country. With years of dedication to civil rights and medical privacy, we can definitely expect to see a lot of settlements surfacing with Fontes Rainer in town.  

OCR Settles Case Concerning Improper Disposal of Protected Health Information
Fines, HIPAA

OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 Comments Off on OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.

OCR Announces Eleven HIPAA Right of Access Fines
Fines, HIPAA

OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Comments Off on OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Waking up every morning is an eye-opening experience. Do you know what else is an eye-opening experience? Waking up to see all of the enforcement investigations the OCR launched against practices like yours. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. Under the HIPAA Privacy Rule, the OCR launched this effort to assist individuals’ right to timely access to their health records at a reasonable cost. HIPAA provides individuals with the right to view and get copies of their health information from their healthcare providers and health plans. A HIPAA-regulated entity has 30 days after receiving a request to provide an individual or their representative with their records in a timely manner. OCR Director, Lisa J. Pino, states, “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”  Practices are no longer sneaking under the radar! The Office for Civil Rights (OCR) just concluded its thirty-eighth enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $646,000 across eleven penalties, the announcement of the verdicts includes eleven cases. Here is a brief breakdown of a couple of the cases just released by HHS:  The first dental action includes a $5,000 settlement for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. An eye care practice made the mistake of not providing a copy of a patient’s medical records until three days after the OCR investigated. Now that is crazy! To settle a potential violation of the HIPAA Privacy Rule right of access standard, the practice agreed to take corrective actions and pay $22,500. Something as simple as not giving your patients access to their data quickly enough can result in a huge fine! One not-for-profit health system learned the hard way by not responding timely enough to a complainant’s access request. This cost the health system a whopping $240,000!  So, whether it’s responding to a request or delivering that request on time, you need to make sure your practice is on point to avoid these heavy penalties. As we can see the queen bee (Lisa Pino) isn’t joking around on pushing the OCR’s  HIPAA Right of Access Initiative across practices, we encourage you to ensure you have the right HIPAA compliance measures in place. So what’s the holdup? For less than a scratch-off ticket a day you can save your practice from those sneaky fines and become friends with Abyde today!

Oklahoma State University HIPAA Fine
Fines, HIPAA

Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 Comments Off on Oklahoma State University – Center for Health Services Forks Over $875,000 to Settle Hacking Breach

July 15, 2022 What did the duck say when she went to buy lipstick? Put it on my bill! Speaking of bills (the money kind, not a beak), Oklahoma State University had to pay a huge bill of $875,000! It acts as a settlement for a huge hacking breach of the OSU CHS web servers. Oklahoma State University has agreed to pay the price and complete a corrective action plan over the next two years to resolve all of the violations of the Breach Notification Rules, Security, and HIPAA Privacy. OCR received a breach report in 2018 due to the hacking of the OSU’s web servers. They discovered that the hacker of this breach had access to 279,865 individuals’ electronic protected health information (ePHI). OSU found that the hackers had access to patients ePHI earlier than they originally thought, on March 9th, 2016. OCR Director, Lisa J. Pino, states, “HIPAA-covered entities are vulnerable to cyber-attackers if they fail to understand where ePHI is stored in their information systems.”  As technology in the healthcare business evolves, it is critical to understand how to appropriately secure personal health information (PHI) when being stored or sent. With cybersecurity dangers on the rise and electronic communication becoming more widespread, it’s imperative to secure your patients’ data. Encryption services are an excellent method to safeguard your practice and avoid those sticky HIPAA violations. Good news for you, you don’t have to be a sitting duck! (Cough, Abyde.)  The OCR reported that OSU failed to follow the HIPAA rules by: Unfortunately for the Cowboys, their failure to maintain proper security, risk analysis measures, and documentation of compliance cost them a large fine and put all of the OSU patients ePHI at risk. This breach, and corresponding financial settlement, highlight that even for huge organizations like OSU, the right risk analysis practices and HIPAA-compliant policies are a must in order to prevent impermissible safeguarding or access to ePHI.  Even as an independent practice, you may not feel like you have anything in common with a big fish like OSU. No matter if you’re a duck, fish, or cowboy, it doesn’t matter – everyone is monitored and at risk. As the penalties for these violations become more severe, it is more crucial than ever to ensure that your practice has a solid HIPAA program in place.

HIPAA Telehealth and Public Health Emergency Expiration
HIPAA, Legislation

HHS’s Recent HIPAA Guidance on Telehealth and Public Health Emergency Expiration

July 11, 2022 Comments Off on HHS’s Recent HIPAA Guidance on Telehealth and Public Health Emergency Expiration

July 11, 2022 Think you finally got the hang of telehealth? Don’t get too comfy just yet! The OCR recently released guidelines on how covered health care providers and health plans should utilize their remote communication technology to deliver audio-only telehealth services while also complying with HIPAA requirements. Why is Telehealth important? Let’s start at the beginning. Telehealth contributes to increasing a practice’s value and security by expanding access to health care across the nation and providing certain users who have difficulty using audio and video telehealth technologies. When systems are not properly secured, they pose risks to patient safety, health, and data. Cyberattacks and ransomware are extremely common in Telehealth and may quickly create issues that disclose medical information and other sensitive information. As a practice, it is critical and worthwhile to maintain excellent Telehealth especially now a days with the increased funding and resources the OCR has available. OCR Director, Lisa J. Pino, states, “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information.” With the OCR’s Telehealth Notification system possibly being taken down as early as July 15th, 2022, we recommend that practices stay alert and take every precaution by using your friendly, easy to use HIPAA-compliant software (hint Abyde) to assure full compliance today. The first step in remaining alert is to follow the guidance issued by the OCR in response to the recent news that the Telehealth Notification system may be shut down. The guidance below specifies the conditions under which telehealth may be utilized.  The HHS is authorizing HIPAA-covered businesses to conduct telehealth and audio-only services using remote communication technology. However, these services must be provided in a private environment to the best of the entity’s abilities, and the individual’s identification must be verified. Even though HIPAA does not apply to audio-only telehealth services delivered through electronic communication methods, when offering telehealth services through mobile devices or applications, practices may face HIPAA compliance issues. Therefore, practices should identify all potential risks and vulnerabilities to PHI confidentiality as part of the risk analysis process prior to the completion of the PHE. Abyde will do anything possible to make sure you’re on top of your compliance game because the OCR may show up at any time! Allow us to guide you through these future changes – from our incredibly simple software to our readily available education, we will be your buddy in ensuring that you are prepared for any obstacles that show up at your door.

OCR HIPAA Budget Proposal
HIPAA, Legislation

MORE MONEY, MORE PROBLEMS? OCR Budget Proposal Will Result in Greater Enforcement and More Fines

May 16, 2022 Comments Off on MORE MONEY, MORE PROBLEMS? OCR Budget Proposal Will Result in Greater Enforcement and More Fines

May 16, 2022 If you think the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) isn’t zeroed in on compliance, think again. OCR recently announced its request for a 55% increase in its overall funding, for a total of $60.2 million for the 2023 fiscal year. While this number may seem shocking, their plans for the money may make your jaw drop.  Let’s take a look at why the increase is needed.  Nearly 46,000 complaints were received in FY 2021, a dramatic increase from nearly 2,000 in 2003. Just this year, they’re expecting more than 28,000 related strictly to HIPAA. OCR states, “given the trend in complaints to OCR as well as the priorities articulated by the Administration, OCR anticipates a significant increase in the number of civil rights, information breaches, and cybersecurity complaints.” OCR opens an investigation for any breach that affects more than 500 people. In 2021, there were 714 of those instances, more than 30% growth over the last two years. Currently, OCR is limited to how many of these they can conduct a full investigation on. Imagine how powerful this could be if granted the resources to execute the necessary amount?! In addition, OCR is looking to add more regional investigators to address the backlog of existing complaints. With a goal of clearing the backlog by FY 2026, $8 million will be allocated to address the existing complaint inventory. OCR supports adding new regional investigators to “resolve new civil rights and HIPAA cases, address the backlog of complaints, and initiate compliance reviews in the Administration’s priority areas.” With a staff of 77 in 2020, they plan to add an additional 37 investigators and supervisory investigators in FY 2023. The budget accounts for a total increase of 64%, equating to 91 new employees. More staff could mean more knocks on your door!  Still think that you’re the one that got (or will get) away?! This next bit is for you. Increasing fines and the institution of injunctive relief are more immediate than 2023.  Not sure what a HIPAA violation could cost you? Don’t go get a tattoo of these any time soon – OCR is requesting increases based on a federal court evaluation. In 2019, then-OCR Director Roger Severino published a “notice of enforcement discretion” complementing the HITECH Act basing violation amounts on the party’s awareness and fault. While you could imagine this leaves some room for interpretation, the tiered fine structure will remain in place. Changing lanes, Injunctive relief essentially restrains a party from a certain action. OCR regulator, Adam Greene openly notes the HITECH Act “provides attorneys general with authority to seek injunctive relief.” Green continues to state, “If OCR were given authority to obtain injunctive relief, then it could require entities to take or discontinue actions –such as by requiring an entity to provide an individual with access to records or to discontinue a use or disclosure of protected health information – rather than only being able to penalize the entity after an act or omission occurs.” If you still aren’t convinced that OCR means business, let’s wrap up with a summary of what their request for extra dollar signs means for you. An increase in budget simply equates to an increase in resources – more employees to not only attack the existing backlog but the ability to complete more in-depth and frequent investigations. Higher fines and more meaningful corrective action plans mean greater penalties and violation costs. We hope you take your compliance seriously, OCR certainly is! Let us navigate these upcoming changes with you – from our simple software to our readily available education, we will be your companion in confidence that you are set up for any OCR changes that come our way.   

Are you sure you've got HIPAA covered? Get your compliance grade in 5 minutes.

TAKE THE CHALLENGE
X