March 3, 2021 Short answer? Nope. Long answer, having a ‘HIPAA compliant’ seal can actually get you in hot water – just ask SkyMed International, Inc., who was hit with a 20-year corrective plan – no, not by the Office for Civil Rights, but by the Federal Trade Commission (FTC). FTC? What? That’s right, this recent HIPAA related event actually got a business in trouble for displaying a ‘HIPAA Compliant’ seal, when the organization falsely advertised their ‘compliance’…except that they ended up experiencing a massive data breach exposing the sensitive information of over 130,000 individuals and after investigation were found to be anything but HIPAA compliant. So, when it comes to those ‘seals of compliance’ you’ve probably heard about or seen around, in most cases they don’t mean anything – and could actually wind up getting a practice in trouble for false advertising. There’s no industry certification around HIPAA – trust us, we would be first in line if there was! – and having a certified statement is also a no-go, since there’s no legitimate organization that offers those certifications to back it up. If you DO have a HIPAA seal or badge of some kind, don’t panic! That doesn’t mean you’re in trouble – depending on what your seal proclaims. Where the FTC raises the red flag is if there’s any statement of ‘compliance’ included. On the flip side, consumers can get peace of mind when they know their healthcare provider has a compliance program (note, program, not statement OF compliance) in place. So if you indicate that you follow HIPAA best practices, carry on! If, however, your website states that you ARE compliant, you may want to double-check your verbiage before the FTC gets involved. As much as we wish HIPAA could be as simple as just following a checklist once and receiving a nice shiny badge of compliance that your practice’s website could wear proudly, it’s not. HIPAA compliance is an ongoing process and requires constant review and updates for ANY organization, regardless of their size or specialty. So while a compliance seal isn’t an option – maintaining a complete compliance program is (and a required one at that!)
When & Why You Need a HIPAA Authorization Form
February 18, 2021 If you’ve been managing your HIPAA program manually, maybe even using an old HIPAA binder, you probably associate HIPAA with a lot of paperwork. While most of your HIPAA program can now be tackled digitally (and with a time-saving partner, hint hint), there are some papers that are 100% still relevant – like the HIPAA Authorization Form. What is a HIPAA Authorization Form, and when do I need one? Having a signed HIPAA Authorization Form is one of the many requirements under the Privacy Rule. The authorization form (sometimes called a patient HIPAA consent form), essentially serves as a handy dandy permission slip allowing a practice or business associate to use or disclose protected health information (PHI) in the ways a patient wants their data used. Now, just to clear things up, there ARE times you can disclose PHI WITHOUT an authorization form – namely, for regular healthcare payment, treatment, and operations. This means that patients can be treated without an authorization form and that you can share their data as necessary to conduct business without penalties under HIPAA. There are some additional specific scenarios where you don’t need a signed authorization form to share PHI, but most important to note are when you DEFINITELY should have a consent form signed. This includes when PHI is used or disclosed: Without getting the green light from the patient (in writing) in any of these circumstances, your practice can get into some pretty big trouble. What should be included on the HIPAA Authorization Form itself? If you’re thinking of a lengthy legal document, you’re actually in for some good news – the Authorization Form can be short, sweet, and to the point as long as it covers the following key pieces: In addition to the specific elements that must be included within the document, there are also a few statements that should be outlined including: How long does the authorization remain valid? The Authorization form remains in effect until the listed expiration date or event that was listed when the patient signed the form. We recommend reviewing your authorization forms every few years or so however, to confirm none of the data has changed and anytime an outside event would require a new form (such as a name change, patient who turns 18, or other scenario). The patient also has the ability to change their mind at any time, and can revoke their authorization (in writing) whenever they choose. Why do I need one? You don’t have to be an expert on the ins and outs of HIPAA to know that it’s main focus is to protect the privacy and security of patient information. The authorization form helps to do just that – limit patient information to the organizations or individuals designated by the patient to receive their health conditions, insurance information, and any other sensitive data housed within your practice. By getting a form signed from each patient, you’re protecting both the patient and your practice to best disclose information as designated and without any surprises. After last year’s enforcement trend centered around patient right of access along with the recent proposal to modify the HIPAA Privacy Rule (with some specific changes related to patient authorization and the Notice of Privacy Practices), giving your practice a head start on meeting important HIPAA standards now is key. If you aren’t using an authorization form, there’s no better time like the present to start implementing a form that fully complies with the Department of Health and Human Services requirements.
OCR Announces 16th Right of Access Settlement
February 12, 2021 Today the Office for Civil Rights (OCR) is celebrating their Sweet 16 – sixteenth HIPAA Right of Access fine, to be exact. Instead of party hats and birthday cake, they’re kicking off the festivities with a hefty settlement and second HIPAA fine this week. The not so lucky guest of honor is Sharp HealthCare, d.b.a. Sharp Rees-Stealy Medical Centers (“SRMC”), a health care provider based out of California. SRMC was gifted with a $70,000 fine along with a 2-year corrective action plan for violating HIPAA right of access requirements. The ‘party’ began back in June of 2019 after the OCR received a complaint stating that SRMC failed to respond when a patient requested an electronic copy of their protected health information (PHI) be sent to a third party (sound familiar?). The ‘party’ didn’t stop there, when even after providing technical assistance the OCR received a second complaint just two months later alleging that SRMC had still yet to provide the requested access. It wasn’t until after the OCR investigated further that SRMC finally fulfilled the patient’s request. Not only did today’s announcement take the cake (party pun intended) for the second fine released just this week, but the details of the most recent settlements are so similar we feel like we’re seeing double. Both fines were a result of patient right of access violations, and more specifically for the failure to provide an electronic copy of health records to a third party. So the lesson to be learned? Ensure your practice is providing access in a timely manner and in the way it was requested. Acting OCR Director, Robinsue Frohboese emphasized the government’s continued focus in today’s press release, “Patients are entitled to timely access to their medical records. OCR created the Right of Access Initiative to enforce and support this critical right.” After a historic year in HIPAA enforcement, four HIPAA settlements in the first two months of 2021 should come as no shock. If crashing the HIPAA violation party isn’t something you’re keen on (we’re not the life of the party ourselves, but even we don’t think that would be too much fun) then having the right policies and procedures in place along with the proper employee training on how to respond to record requests is key.
What is the Breach Notification Rule?
February 12, 2021 Don’t shoot the messenger, but HIPAA breaches continue to skyrocket over the last few years – making your practice increasingly likely to experience a breach related to cyberthreats, human error, or other means. While we wish we had better news, we CAN at least help make sure that if a breach were to occur you’ve got the low down on one of the less common, but very relevant, aspects of HIPAA – the Breach Notification Rule. Any type of breach of patient data (verbal, technical or paper-based) counts as a breach of information. The OCR has some specific requirements for you to follow in the event of a breach – namely, what types of notifications are required and who needs to be alerted if the worst should occur. So while we’re not wishing a breach on anyone, let’s walk through the key aspects of what to do next – just in case – when it comes to responding to a breach. Step One: Assessing a Breach First, whether your breach is suspected or pretty much a done deal, you need to assess the breach and determine the who, what, when, where and how of the incident. This is essential to finding out whose data is affected as well as what the likely ramifications are of the breach, and will inform how you handle breach notifications. Step Two: Notifying the Right Parties Once you’ve finished assessing a breach, you’ve only explored the tip of the iceberg. You know you have a major issue on your hands – so now what? Your first step is to get the right people – affected patients – informed as well as notify the Department of Health and Human Services (HHS) in all cases where a malicious or unknown breach has occurred. You may also have some state-specific parties that need to be notified as well, though this varies by your specific practice location. Step Three: Providing the RIGHT Information There are quite a few specifics that must be included in your apology letter, and just to make things even more complicated, states have different requirements here as well. A few of the basic elements include a brief description of what happened, the suspected or confirmed dates of the incident, and a description of the type(s) of protected health information (PHI) involved, any steps individuals should take to protect themselves from any potential harm, and a description of what the covered entity involved is doing to investigate the breach, mitigate harm to individuals, and to protect against any further breaches. You’ll likely also need to include contact information for affected parties to reach out to for additional questions. Step Four: Providing TIMELY Information We’re sure it’s no surprise that your practice doesn’t have carte blanche control over when you provide breach notifications. The OCR actually lays out some pretty specific timelines here, including that: Either way, reports should always be done through the HHS breach portal, and we highly recommend submitting those breaches as soon as possible to proactively correct and mitigate any threats (and any resulting HIPAA fines you might be up for as well). Additional Steps While data breaches are usually out of anyone’s control, the way your practice actually handles the incident is the important part – and will help you avoid a resulting HIPAA fine. This is probably the never several steps in our book – not only handling the breach notification rule requirements but also mitigating the threat(s) and preventing future violations. There are likely other specific requirements you need to meet as well (by state again…seriously, don’t shoot the messenger!) and having a complete HIPAA program, including breach notification policies and procedures, will help you get the right information for your specific scenario and check all requirements off your list.
OCR Settles 15th Right of Access Violation
February 10, 2021 The Office for Civil Rights (OCR) started 2021 off with some heavy hitters – including a $5.1 MILLION fine only 15 days into the year – but their fifteenth HIPAA right of access settlement (and counting – we’re taking bets on how many they get in before the end of the year) emphasizes they’re not just going after the big guys when it comes to keeping HIPAA programs in check. Renown Health, P.C., a private, not-for-profit health provider out of Nevada, became the third HIPAA violator of the new year after failing to meet HIPAA right of access requirements back in 2019. The violation came with a hefty penalty of $75,000, along with a 2-year corrective action plan. So what happened? This time two years ago, the OCR received a complaint that Renown Health failed to fulfill a patient’s request for an electronic copy of their medical and billing records. In this particular instance, the patient had requested to have it sent to a third party – something that HIPAA not only allows for, but expects providers to fulfill. Singing the same tune as last year’s many access-related fines, it wasn’t until after the OCR got involved and investigated further that Renown Health finally provided access to all of the requested records. Acting OCR Director, Robinsue Frohboese, weighed in on the latest settlement, “access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis.” What this means for you With 15 right of access settlements under their belt, the OCR has made it clear that providing proper access in the way records are requested is key – not to mention the ticking clock (30 days, or less depending on the state) that goes with any record request. With the proposed changes to the HIPAA Privacy Rule suggesting an even shorter time frame to respond to record requests, providing timely access should be on every practice’s radar. If it’s not, or even if it is, making sure to have documented policies around how records are provided and recording requests in a written format is key to preparing your practice should you wind up as part of the OCR’s right of access crusade. Not sure where your current HIPAA program stands, especially when it comes to patient’s access rights? Schedule a complimentary consultation with one of our HIPAA experts today to see what you might be missing before it’s too late!
2020 HIPAA Breaches Reporting Deadline is March 1st
February 5, 2021 2020 was certainly not the year anyone planned, and despite your best intentions, the transition to remote operations and reliance on new technologies may have led your practice to experience a (hopefully minor) HIPAA breach last year. If you had a major breach (500+ patients affected) you’re a little late to the reporting party (breaches affecting over 500 patients should be reported within 60 days, or sooner depending on your state). If fewer patients were affected and you only had a minor breach on your hands, mark your calendars for the upcoming small breach reporting deadline on March 1st. What types of incidents are HIPAA breaches, and how do I know if I have to report it? Any instance in which protected health information (PHI) was exposed in violation of the HIPAA Privacy Rule or HIPAA Security Rule counts as a breach of HIPAA. This could be as small as sending an email containing PHI to the wrong person, or as big as a hacking incident affecting hundreds of patient records. While we wish there was a ringing alarm to signal a breach has occured, many breaches aren’t as easy to detect. If you just aren’t sure, first assess the scenario to help make that determination – particularly what the risk is that the PHI possibly exposed would be used for ‘malicious intent’. We’re big believers in the “better safe than sorry” mentality, and recommend reporting any incident that could be a breach to meet all the necessary reporting requirements. What qualifies as a ‘small’ HIPAA breach? HIPAA classifies minor breaches as incidents impacting 500 individuals or less. Even if the breach only involved a single patient, it still counts as a breach and should be reported no later than 60 days after the end of the calendar year (aka, March 1st). The ONLY case in which a breach of this kind might not need to be reported is if you can determine with absolute certainty that the data exposed won’t be misused or has been permanently deleted. (P.S., if your breach fell into that 500+ patients bucket, while you’re a little behind we still recommend submitting a late report, instead of no report at all, to reduce the penalties you might face.) What if my business associate experienced the breach, do I have to report it? While the Office for Civil Rights (OCR) does encourage business associates to report breaches themselves, the responsibility of getting the report in correctly and on time ultimately falls on the practice. If one of your third-party vendors experienced a breach in 2020, it’s best to check with them to ensure that the breach was reported or report the breach yourself to make sure you’re covered (again – better safe than sorry!). Even if you have a Business Associate Agreement (BAA) in place with the vendor and an incident is completely out of your hands, failing to report the breach by the deadline can still result in HIPAA fines. Reporting HIPAA breaches of any kind is extremely important to avoiding further fines and penalties. If you do have to make a report – you’re not alone. Only 44% of healthcare organizations actually meet cybersecurity standards, meaning a LOT of organizations wind up with data breaches even if they have solid HIPAA programs in place. There is some good news however with the new HIPAA Safe Harbor Law. You could qualify for reduced HIPAA fines if and only if you can prove that your practice has had the necessary technical safeguards and HIPAA requirements in place for 12 months before the breach. So, the short version? Make sure you report ANY possible or confirmed small breaches that occurred in 2020 by March 1st to avoid further penalties. If you DON’T have a HIPAA program in place but still have a breach to report we highly recommend getting a program in place ASAP to help reduce possible fines or other penalties.
What is the HITECH Act and How Does it Relate to HIPAA?
January 28, 2021 Trying to understand all of the complicated rules and regulations your practice needs to follow can sometimes feel like keeping up with the Joneses – but HIPAA isn’t the only compliance rulebook your practice needs to follow, and other laws (both new and old) impact your practice operations and your HIPAA compliance program – enter the HITECH Act. Whether it’s your first time visiting our news page (welcome!) or you’re a regular reader (welcome back!) you might’ve seen last week’s article covering the new HIPAA Safe Harbor bill that offers practices reduced HIPAA fines IF they have reasonable security safeguards already in place before a breach. The bill amends the HITECH Act to incorporate this change, but if you aren’t even sure what the HITECH Act really is, let’s take a step back and cover what the Act means for you and where these new changes come into play. The What The ‘Health Information Technology for Economic and Clinical Health’ Act, or HITECH Act (much easier to say), was signed into law way back in 2009 to essentially promote the implementation of health information technology, specifically the use of electronic health records (EHRs), by healthcare providers. Transitioning from paper to electronic records was (and still is) time-consuming and costly, and the HITECH act provided incentives for making the switch – while also ensuring that healthcare organizations along with their business associates remained in line with HIPAA law as they upgraded their systems. The Why So you might be thinking – well doesn’t HIPAA law already promote the secure usage of EHR’s? You’re right (high five!) but the HITECH Act goes one step further and expands the enforcement and strength of HIPAA regulations related to technical requirements within the HIPAA Privacy and Security Rules. Thanks to the HITECH Act, violation tiers were introduced, increasing financial penalties for HIPAA violations and ultimately giving the Office for Civil Rights (OCR) more money in the bank to go after non-compliant covered entities. The HITECH act was also designed to answer questions around how to offer the same HIPAA protections to electronic protected health information (ePHI), not just physical PHI, as practices went digital. This included: Where the HIPAA Safe Harbor Bill Fits In Fast forward to 2021, and all the same needs the HITECH act was introduced to fill still apply. However, the newly signed HIPAA Safe Harbor Bill helps to reinforce the value of these security measures with the new incentives offered and opportunity for reduced fines – and it’s one of the few pieces of new legislation you should actually feel GOOD about! So whether it’s HIPAA, HITECH, or the brand new Safe Harbor Bill – understanding and complying with each and every one of their requirements is essential to protecting your patients. Still not quite sure about what’s required? Don’t sweat it! Schedule a free consult with one of our HIPAA experts today to ensure you’re up to speed.
Public Health Emergency Extended Again: What it Means For Your Practice
January 22, 2021 I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021. While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better. When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear: PHI Disclosures Business Associates Telehealth 2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!
OCR Announces 2nd HIPAA Settlement of 2021 with Health Insurer for $5.1 Million
January 15, 2021 Buckle your seatbelts – it’s only 15 days into 2021 and it’s already looking like this year will be a wild ride when it comes to HIPAA enforcement. The Office for Civil Rights (OCR) just announced another HIPAA settlement (and a doozy at that), bringing in not one but TWO fines just this week. The latest (and greatest) HIPAA fine of 2021 was just awarded to Excellus Health Plan, Inc., a health insurance provider serving over 1.5 million people in New York. The settlement includes a whopping $5.1 million fine and a 2-year corrective action plan, the result of cyber attack affecting more than 9 million records along with a slew of other HIPAA Privacy and Security Rule violations. Fun fact: the OCR didn’t reach $5 million in total fines levied until September of last year, and today’s announcement means they’ve already exceeded the $5 million mark just 15 days into 2021 – talk about starting the year off strong! Excellus’ story all started when the OCR received a breach report on September 9, 2015 that cyber-attackers had gained access to Excellus Health Plan’s information technology systems. Of note with this particular breach story is that the hackers in Excellus’ case were accessing their systems so long, they not only set up shop but practically built a whole mall to go with it – hanging out in the health plans’ database from December 23, 2013 allllll the way until May 11, 2015 – an entire year and a half. Their overextended stay allowed the hackers to install malware in addition to other malicious activities that provided unauthorized access to the protected health information (PHI) of over 9.3 million individuals – improperly accessing everything from names, to addresses, social security numbers, financial information and clinical treatment information. If having hackers in your IT system for almost 2 years wasn’t bad enough, the OCR also found that Excellus had violated some pretty important HIPAA rules, including: As a great example of what NOT to do when it comes to your HIPAA and technical security programs, today’s fine also offered words of wisdom from the OCR: “Hacking continues to be the greatest threat to the privacy and security of individuals’ health information. In this case, a health plan did not stop hackers from roaming inside its health record system undetected for over a year which endangered the privacy of millions of its beneficiaries,” said OCR Director Roger Severino. “We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat.” One positive when it comes to increasingly concerning cyberthreats? The recently passed HIPAA Safe Harbor Bill offers your practice the chance to receive smaller HIPAA fines (even more important with the whopping $5.1 million precedent just set) IF you have the necessary safeguards in place 12 months BEFORE a cyber event. Even though data breaches and hacking incidents aren’t always in your control, practice’s preparation beforehand is – and could mean the difference between a smaller, manageable fine and ranking among the top 10 greatest hits on the OCR’s fine list.
What is the New HIPAA Safe Harbor Law?
January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements. Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one? What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives: The next question – what does “recognized cybersecurity practices” mean? What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control. What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.