HIPAA

COVID-19 Public Health Emergency Extended
HIPAA, Legislation

Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 Comments Off on Public Health Emergency Extended Again: What it Means For Your Practice

January 22, 2021 I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021. While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better. When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear: PHI Disclosures Business Associates  Telehealth  2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!

$5.1 Million Dollar HIPAA Fine
Fines, HIPAA

OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million

January 15, 2021 Comments Off on OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million

January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week.   The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong!   Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half.  Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information.  If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including:  As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.”    One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.    

HIPAA Safe Harbor Law
HIPAA, Legislation

What is the New HIPAA Safe Harbor Law?

January 14, 2021 Comments Off on What is the New HIPAA Safe Harbor Law?

January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements.  Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one?  What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives:    The next question – what does “recognized cybersecurity practices” mean?  What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control.  What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.

HIPAA Right of Access Violations
Fines, HIPAA

OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 Comments Off on OCR’s First Settlement of the Year: More HIPAA Right of Access Violations

January 12, 2021 The Office for Civil Rights (OCR) wasted no time starting on their new year’s resolutions, announcing their 14th settlement as part of the HIPAA right of Access initiative just 2 weeks into 2021. Patient right of access fines are starting to become a monthly occurrence, and it’s no surprise that the OCR would start off the new year with the same enforcement efforts they ended 2020 with. Banner Health, an Arizona-based non-profit health system operating 30 hospitals, primary care, urgent care, and specialty care facilities across the country, became the OCR’s first victim of the year with the largest right of access fine to date – $200,000.  This hefty payout comes as a result of two separate complaints filed against Banner Health, both highlighting the health systems noncompliance with the HIPAA right of access standard.  If today’s settlement isn’t enough reason to avoid dragging your feet on records requests and getting HIPAA compliant ASAP, maybe the latest statement from OCR Director Roger Severino will seal the deal: “This first resolution of the year signals that our Right of Access Initiative is still going strong and that providers of all sizes need to respect the right of patients to have timely access to their medical records.”   The OCR has clearly hit the ground running with HIPAA enforcement in the new year and it’s more important than ever to get your practice compliant. OCR Director Roger Severino has been beating the same right of access drum for over a year, and it’s no surprise given that audit results released just this past December show that most covered entities (a whopping 89%) don’t meet patient access requirements. Concerned your practice falls in that boat? Schedule a consultation today with one of our HIPAA experts to see where you currently stand and what you need to do to avoid falling into the government’s crosshairs in 2021.       

2020 HIPAA In Review
HIPAA

2020 HIPAA In Review

January 7, 2021 Comments Off on 2020 HIPAA In Review

January 7, 2021 Sound the air horns, blare your favorite pump-up jam, let loose your last few New Year’s streamers – we made it through 2020! Some of us picked up a new hobby, some just made ‘staying sane’ a hobby (raising our hands over here), but the fact is we made it through the year and have come out ready to weather what 2021 will throw our way. We know, we know – we want to close the book on last year, put it away in a very heavily locked box, and tuck that box in a corner of the attic we’ll quickly forget exists too (just us?). So why on earth do we want to recap 2020 instead? Well, record-breaking HIPAA enforcement, emerging cyber threats, new audit data, and ongoing trends in HIPAA are probably worth remembering – especially if keeping up to speed means protecting your practice in 2021. So here’s a recap of what happened with HIPAA this past year, and what we can expect to continue moving forward:    1. HIPAA Waivers and Enforcement Discretions You probably remember February/March as an era of toilet paper hoarding and “sorry I was on mute” as we collectively figured out Zoom meetings. But it was right around this time the Department of Health and Human Services (HHS) officially declared a National Public Health Emergency (PHE) and implemented HIPAA waivers with limited enforcement discretions. These waivers provided additional leniencies for providers and their business associates to use and share patients protected health information (PHI) for very specific purposes related to the PHE, and allowed for greater flexibility with telehealth services. After several extensions of the declared PHE, these limited waivers are still in effect until January 20, 2021 – but that doesn’t mean your practice is off the hook. Ensuring that you are up to normal HIPAA standards, such as implementing compliant telehealth solutions before the PHE expires, is the best, and perhaps the ONLY way to protect your practice from a hefty fine.    2. Rising Cyberattacks In the midst of all the COVID-19 hysteria, the healthcare industry faced yet another plague – cyberattacks. Cyberthreats have reached all-time highs over the past year, with hackers leveraging public vulnerability and remote operations to their advantage. Healthcare data is ten times more valuable on the black market than credit card information and makes your practice a prime target for hackers.  Many of 2020’s fines were the result of data breaches, most of which revealed a “systemic lack of [HIPAA] compliance” (as the OCR put it), and one of which resulted in the second-largest HIPAA fine to date of $6.85 million. While a cyberattack may be impossible to fully prevent, having a complete HIPAA program and reasonable safeguard in place is still expected. In short, if your practice doesn’t have basic HIPAA requirements like a Security Risk Analysis (SRA), the OCR will show no mercy in using a breach incident to slap your practice with a HIPAA fine.  In addition, many business associates were hit heavily with cyberattacks, ransomware, and breaches in 2020. Having proper Business Associate Agreements, a HIPAA requirement is essential to protect your practice from liability if a cyberthreat were to impact one of your vendors. A missing agreement could leave your practice with a fine – even if the breach was completely beyond your control. Review or complete business associate agreements with any vendor who may fall in this category as soon as possible to protect yourself, and make sure your HIPAA program basics (including training, your SRA, and proper documentation) are all up to speed.  3. Patient Right of Access Featuring heavily in 2020’s enforcement efforts was the patient right of access initiative. This hot topic accounted for over 50% of 2020’s total settlements, ranging from $3,500 (the smallest HIPAA fine to date) to $160,000. Each practice affected failed to provide patients or their authorized personal representatives with access to requested medical records within the HIPAA-mandated time frame. In fact, two instances were only resolved after the individuals involved complained a second time to the OCR, and one covered entity didn’t provide the requested records until almost three years after the initial request was submitted.  To put that in perspective, most state and federal regulations require records to be provided within 30 days of the patient request. This enforcement trend will only continue, especially as the Department of Health and Human Services looks to update HIPAA Privacy Rule provisions and enhance patient access to their health data in 2021.  4. 2021 and Beyond With increased enforcement, the likelihood of a HIPAA investigation has become a matter of ‘when’ instead of ‘if’. If your practice is a smaller one, the OCR has emphasized that you’re not immune – in fact, OCR Director Roger Severino recently urged the importance of compliance for “offices, large and small” as part of the OCR’s patient right of access initiatives.    2021 brings the opportunity to do more than just ‘make it’ through the year – the most important thing you can do for your practice is to get a complete HIPAA program in place now, before an incident occurs, to prove your compliance and avoid any costly HIPAA fines. Worried you might be missing something? Don’t stress! Register for a consultation with one of our HIPAA experts to learn what your practice must have in place when it comes to HIPAA compliance.  

HIPAA Summit Takeaways and OCR Guidance
HIPAA, Legislation

HIPAA Compliance Insights: Summit Takeaways and OCR Guidance

January 7, 2021 Comments Off on HIPAA Compliance Insights: Summit Takeaways and OCR Guidance

April 3, 2024 Happy Wednesday! Let’s crush the rest of the week! While we are battling our Hump Day blues, let’s turn this Wednesday into a learning opportunity.  A HIPAA Summit was held, introducing new updates to HIPAA legislation. Want the quick 411? You’ve come to the right place!  Part 2 Final Rule We go into more detail about this in our article here, but new legislation regarding the confidentiality of Substance Use Disorder patient records has been released.  You need to know that:  The full rule can be found here.   Cybersecurity Resource Revision The National Institute of Standards and Technology, or NIST released some new resources for cybersecurity measures. These resources include explanations of the HIPAA Security Risk Analysis and actionable steps to implement these measures. To read more about these resources, click here. HIPAA Online Tracking Technologies  Online tracking technologies have been at the forefront of recent compliance cases like the 300,000 dollar fine given to the NewYork-Presbyterian Hospital due to website tracking.  The OCR is on it, issuing guidance on how to properly use tracking technologies.  What you need to know is that when using tracking technologies: Enforcement Highlights Unfortunately, we’ve seen a major spike in patients impacted by HIPAA. In 2023, over 134 MILLION were exposed to a large HIPAA breach.  What You Can Do First, sorry for the information overload, but it’s vital to know for your practice.  By following these guidelines, you’ll provide an even more positive and secure experience for your patients. An easy way to stay compliant is with Abyde. The Abyde software offers a plethora of compliance resources, making compliance simple.  We offer the latest information and entertaining training for your practice, always keeping you on your A-game. Want to avoid common HIPAA mistakes? Use Abyde! We turned the Security Risk Analysis into an intuitive questionnaire that can be completed in minutes. We also offer dynamically generated documentation, including Business Associate Agreements that can be completed in seconds!  Want to see where your compliance currently stands? Email us at info@abyde.com and schedule a consultation here! 

HIPAA Compliance FAQs
Best Practices, HIPAA

Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions

January 7, 2021 Comments Off on Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions

March 11, 2024 Let’s be honest: compliance can be complicated. With all the regulations, sometimes it feels like you’re making mistakes you don’t even know.  But with Abyde, it doesn’t have to be.  We have an A-list Customer Success team, ready to answer your questions. This week, we’re rolling out the red carpet for these compliance experts We’re interviewing our CS celebs on the HIPAA and OSHA questions they receive the most. Read below to get the inside scoop on what you need to know for your practice.  A child on a parent’s insurance just turned 18, while I know they have to sign consent forms, do the parents need consent to see or request their records?  Sorry, new grown-ups! Parents do not need consent to see their child’s records, they can do so for the purposes of insurance, or payment. It has to be the minimum information shared. Oh no! An employee was poked with a contaminated needle and needs to be tested. Who is responsible for paying for the tests?  The employer! It is the employer’s responsibility to take care of their employee in this situation. Whether it be through their insurance or Workers’ Compensation, or paying it directly, it is the employer’s responsibility.  Why do I need a Business Associate Agreement, aren’t they already HIPAA compliant? First, Business Associate Agreements are a requirement of HIPAA, and outline the rights and responsibilities of a Business Associate (BA) and a Covered Entity’s (CE) partnership. The BA agreement keeps both parties on the same page and protects your practice if there is a breach on their end, having this documented expectation of a BA’s responsibilities.  Why do I need to ask my employees if they’ve received their Hepatitis B vaccination?  Well, if the employee has the potential to be exposed to Bloodborne Pathogens (BBP) or Other Potentially Infectious Materials (OPIM), the employer has to give them the option to be vaccinated. Depending on the state, your employees must be vaccinated against Hepatitis B.  Do the doctors have to do HIPAA/OSHA Training? They own the practice.  Yes, even if doctors own their practice, they still need to ensure compliance with HIPAA. All employees must complete training, even the owner of the practice.   HIPAA regulations are designed to protect patients’ sensitive health information, regardless of whether the provider is part of a large institution or an independent practice.  Therefore, doctors who own their practice must undergo HIPAA training to understand their responsibilities and ensure that their practice adheres to HIPAA regulations. Do I need to report my breach to the OCR?  Just like a fender bender doesn’t require the same reporting as a 10-car pile-up, not all breaches need to be reported. For instance, breaches that affect 500 or more patients must be reported to the OCR.  However, you will want to log ALL incidents in your Abyde Breach Log, even if OCR reporting isn’t necessary. As you can see, our compliance experts are here to clear up any compliance confusion for you. At Abyde, we want to simplify compliance for your practice or business, and our awesome CS team is a testament to that. To learn more about how Abyde is the solution for all of your compliance worries, email us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates. 

HIPAA Compliance and Security
Cybersecurity, HIPAA

Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Comments Off on Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Peanut butter and jelly, macaroni and cheese, rock and roll – there’s really no mistaking that some things are just better in pairs. While these might be the obvious examples to tag along with the old 80’s hit “It Takes Two to Make a Thing Go Right”  there’s another dynamic duo that plays an important role in your practices’ daily operations: Compliance and Security.  Compliance and security go hand-in-hand, making the perfect team when it comes to protecting patient data. But falling into the trap of thinking that achieving one means meeting the other can mean double trouble for your practice – so it’s important to understand the differences between the two and how to ensure you’re checking both off your list.  What is compliance? Compliance is kind of like the bread and butter of your practice. It essentially focuses on the regulatory requirements involved in the protection of sensitive patient data – meaning that you not only have a secure technical environment but also have the know-how and documentation to prove it. Compliance is a comprehensive set of standards that practices must meet to avoid fines but should be viewed as more of a baseline when it comes to security, not the end all be all. Complying with HIPAA means meeting various requirements outlined in the HIPAA Security and Privacy Rule – but there’s more to the story when it comes to ensuring that patient data is fully protected.  What is security?  Security is the whole system of policies, processes, and technical controls specific to your practice. The goal of security is to ensure the best possible protection of the confidentiality, integrity, and availability of patient data – which in the age of technology means constantly updating to mitigate the risk of ever-changing threats. When we think of security we often think of locks on practice doors and passwords on computers but those safeguards only brush the surface of true security.  Having the proper technical safeguards in place, and staying up to date on any new threats, such as the recent threat to Microsoft Exchange vulnerabilities knowing how to properly mitigate a potential threat, and staying educated are just some ways to meet your practice’s security needs.   So, what’s the difference?  While both are crucial in protecting patient data, security and compliance are not one and the same. The key distinction between the two is that compliance requirements are a bit more predictable whereas security standards are rapidly evolving with current risks and threats. This, unfortunately, means that even if you check off each of the compliance requirement boxes doesn’t exactly mean that your practice is 100% secure –  which is why you are still at risk for a cyberattack even if you have a complete HIPAA compliance program in place.  Why you need both!  Just like Batman and Robin, when you put the two forces together – they’re pretty unstoppable. And with cyberattackers playing the role of the modern-day villain, establishing strong compliance AND security programs are the best, and perhaps the only way to ensure you’re taking every measure to protect patient data. 

Importance of Record Requests
Fines, HIPAA

OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 Comments Off on OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000.  The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line.  While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.”  We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!   

Latest HIPAA Audit Industry Report
Audits, HIPAA

Latest HIPAA Audit Industry Report

December 18, 2020 Comments Off on Latest HIPAA Audit Industry Report

December 18, 2020 End of year report cards are in (or at least they are for covered entities) and the HIPAA compliance grades the Office for Civil Rights (OCR) & Department of Health and Human Services (HHS) just handed out are not ones to write home about. Just yesterday, the HHS released their latest HIPAA Audits Industry Report grading providers and business associates’ on their level of compliance with HIPAA regulations.  The report evaluated audit results from 166 covered entities and 41 business associates, focusing specifically on compliance with the Notice of Privacy Practices, patient records access, breach notifications timeliness and content, the Security Risk Analysis, and appropriate risk management programs. While the full report is pretty lengthy, we’ve compiled some of the top takeaways from these latest results: So what does this data tell us? In some ways, nothing new – all of the areas audited have factored heavily into recent OCR enforcement activity, and highlight the same trends we’ve seen all year. If not part of recent enforcement, these areas factor into the recent proposal to modify the HIPAA Privacy Rule, including proposed adjustments to the Notice of Privacy Practices. “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in addition to the latest report, “we will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”  What NEW information can we take away from these results? Organizations are STILL. NOT. COMPLIANT. Many of the covered entities or business associates audited produced what they thought was sufficient evidence, but did not meet actual HIPAA requirements. Some weren’t even close – when asked to produce an SRA, entities provided irrelevant documents like a patient’s insurance prescription coverage and rights; a document discussing pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page – none of which are even semi-related to an actual SRA.  If your practice wants to get a slightly better HIPAA grade than the ones in this recent audit, ensuring you have the PROPER documentation in place, and meet ALL HIPAA requirements is key. If HIPAA isn’t your best subject, a software solution like Abyde is the tutor you’ve been needing to help walk you through the process to get an A+ (plus avoid hefty HIPAA fines, stress over your HIPAA program, and general unhappiness).

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X