HIPAA

HIPAA Patient Right of Access Laws
HIPAA

What You Need to Know About HIPAA Patient Right of Access Laws

November 20, 2020 Comments Off on What You Need to Know About HIPAA Patient Right of Access Laws

November 20, 2020 Wanna know the secret to avoiding patient complaints? Well, until we figure out the trick to making everyone happy (which is next to impossible) we can at least fill you in on the next best thing – how to avoid one of the main causes of patient complaints – improper patient record access.  You might be thinking, how can providing patients access to something that’s already theirs be that hard? Yet more than half of practices still fail to comply with patient access laws, opening themselves up to complaints and ultimately HIPAA fines. In fact, the Office for Civil Rights (OCR) just recently announced the 12th settlement in their right of access enforcement initiative, further emphasizing the importance of providing proper access.  The Boring Stuff: What is the Right of Access law? The HIPAA Patient Right of Access law was created to provide patients with a level of ownership over their own medical records. This means that patients are able to:  What information can be provided to a patient? Does this mean that your practice has to go and round up every single one of Sally Smiths’ records when she asks for it? Not necessarily – when a patient asks for access to their records there is specific information that you are legally expected to provide which is referred to as the “designated record set” and includes:   RELATED: Your Patient Requested Access to their Medical Records, Now What?  Ok, so…what information shouldn’t be provided? Now before you go and slap a postage stamp (or hit send on that encrypted email) with the entire patient file, there is some information that can be left out of the designated record set. Any information that does not pertain to decisions made about the patient’s health directly does not have to be provided to patients such as: There’s a host of other requirements when providing patient records, and knowing what policies the Right of Access law includes is important to avoiding patient complaints about record requests. Unless you’re a professional people-pleaser, dealing with patient complaints is inevitable – but with HIPAA right of access enforcement continuing to ramp up, it’s an important topic to keep your practice up to speed on.

HIPAA Right of Access Fine Streak
Fines, HIPAA

OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Comments Off on OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard.  The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year.  While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.”  Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water.  With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!

The Security Rule HIPAA
Abyde News, HIPAA

HIPAA Building Blocks: The Security Rule

November 12, 2020 Comments Off on HIPAA Building Blocks: The Security Rule

November 12, 2020 Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule. Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information. Administrative Safeguards  Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover:  Physical Safeguards  Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include:  Technical Safeguards  It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover:  These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data. So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant. 

HIPAA Right of Access Fine Announcement
Fines, HIPAA

OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 Comments Off on OCR Announces the 11th HIPAA Right of Access Settlement

November 12, 2020 The last few months have shown that it’s not a matter of when the next Office for Civil Rights (OCR) HIPAA fine will drop, it’s how much the fine will be for. It’s sort of become a race at the Abyde office to share the news first when the OCR’s next press release hits our inboxes (seriously – this blog’s authors are winning in case you were concerned). Today’s entry into our fine-marathon is yet another patient right of access violation – bringing total access settlements to 11 and 2020’s fine count to $13,226,500.     The latest right of access violator is Dr. Rajendra Bhayani, a private practitioner specializing in otolaryngology (a specialty focused on the ears, nose, and throat, if you aren’t a medical specialties trivia whiz) out of New York. The settlement comes as a result of a patient complaint regarding a violation of the Privacy Rule’s right of access standard and left Dr. Bhayani with a $15,000 bill and a two-year corrective action plan to boot.  Back in September 2018, the OCR received a complaint that Dr. Bhayani failed to respond to a patient’s request for medical records made in July of that year. The OCR responded by providing the doctor with technical assistance on the issue, and it was case-closed (or so they thought). Half a year later, complaint number two came rolling in, noting that even in July of 2019 the patient still hadn’t received their requested records. Only after further OCR investigation were the records finally provided in September of 2020 – two whole years after the initial complaint.  The OCR is certainly taking this right of access fine-marathon seriously, sprinting to the end of 2020 with 9 right of access related fines since September. “Doctor’s offices, large and small, must provide patients their medical records in a timely fashion,” stated OCR Director, Roger Severino, “we will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message.”  The best way to tell the OCR ‘message received’? Get your HIPAA program in order NOW, particularly all the pieces that go into patient right of access – HIPAA authorization forms, the right access policies and timeframes, staff training, and more. OCR Director Severino said it best – it doesn’t matter if your practice has 3 employees and sees only a handful of patients, dealing correctly with HIPAA requirements is essential to avoiding $$$ in fines and the scrutiny of the OCR.  

California Right of Access Settlement
Fines, HIPAA

OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 Comments Off on OCR Announces the 10th HIPAA Right of Access Settlement

November 6, 2020 The Office for Civil Rights (OCR) wasn’t kidding when they emphasized HIPAA Right of Access enforcement last year – if you STILL don’t believe the many (so, so many) blog articles we’ve written on previous fines, maybe today’s 10th fine announcement will do the trick. Patient right of access has been a trending topic (waiting for the hashtag to trend any day now) over the past few months, and the latest settlement is just another reminder of what your practice needs to watch for.     Today’s fine goes to Riverside Psychiatric Medical Group (RPMG), out of Riverside, California who agreed to a $25,000 payout and two-year corrective action plan to settle a violation of the Privacy Rule’s patient right of access standard.  The latest settlement comes as a result of a patient complaint received just last year, in March of 2019. The complaint claimed that RPMG failed to provide access to requested medical records – even after multiple requests, OCR technical assistance after the first complaint, and a second complaint a month later. In this particular case, unlike other patient right of access fines levied thus far, RPMG claimed they didn’t provide access because the requested records included psychotherapy notes.  Psychotherapy notes include documentation of private counseling sessions, separate from regular medical records, and are able to be withheld under HIPAA law because of the nature of the records. So was the practice actually in the wrong? While psychotherapy notes CAN be withheld, HIPAA still requires:  Since RPMG failed to do either, they found themselves with $25,000 less in their pockets and two whole years of administrative paperwork to be completed. Even if your practice doesn’t deal with mental or behavioral health services, RPMG’s case includes some important lessons for all types of providers.  When records can’t be provided (for legitimate reasons only people) a written explanation and a copy of the records can and should be provided to the patient. No one likes to be left hanging, said best by OCR Director, Roger Severino himself: “When patients request copies of their health records, they must be given a timely response, not a run-around.”  Avoid being an enforcement victim by reviewing what your practice has in place now, and what is required when a patient requests their records. Make sure you have a designated method for patients to request records and fulfill their requests within the right time frame – within 30 days at the federal level, though it varies by state. And just in case you’re keeping score (just us?) this fine brings 2020’s running total to $13,211,500.  

The Importance of HIPAA Compliance Officers
Best Practices, HIPAA

Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 Comments Off on Behind Every Complete HIPAA Program, There’s a HIPAA Compliance Officer to Thank

November 5, 2020 If you aren’t already aware of how much goes into a complete HIPAA compliance program, we’ll give you a hint – it’s a lot. How much is a lot? Estimates are that it takes the average practice (on their own) 80+ hours per year. So who do you thank for all those hours, headaches and (probably) tears? Your friendly neighborhood HIPAA Compliance Officer.  A HIPAA Compliance Officer, or HCO, is essentially responsible for ensuring your practice meets requirements outlined in HIPAA law – which is as complicated as it can get. Their role is pretty crucial to avoiding a HIPAA violation (not to mention required under HIPAA) and involves quite a list of tasks for the lucky winner of the HCO title. HCO responsibilities include: If you are a smaller practice, your practice administrator or office manager might serve as your HCO (on top of all their existing responsibilities – seriously, they must have superpowers), or if a larger organization, you may be lucky enough to have a separate compliance staff member. Regardless of how your practice operates, the HCO deserves a major round of applause for all they do to keep your practice – and patients – safe, secure and compliant.  Every great hero has a side-kick, and for your HCO a HIPAA compliance software solution is just that. Rather than manually updating each policy, creating training materials, conducting ongoing risk analyses, AND keeping up with changing HIPAA regulations, a software solution like Abyde does it all with just a few clicks – and with a lot less time and stress involved. Whether you have a software side-kick or not, making sure you have all the right pieces of the HIPAA puzzle is a crucial role for your HCO to fill.  Don’t have an HCO? Or have someone that was responsible that one time, but never actually had the opportunity to get started on HIPAA? First, figure out where your program is at by reviewing what you may be missing, then assign an HCO and get them some help to manage their new HIPAA responsibilities.

City of New Haven Reaches HIPAA Settlement
Fines, HIPAA

City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Comments Off on City of New Haven Reaches HIPAA Settlement After Former Employee Steals Patient Information

October 30, 2020 Just when we thought the month was over, the Office for Civil Rights (OCR) decided to sneak one more HIPAA fine in at the last minute. Earlier today the OCR announced October’s FOURTH fine – this time with the City of New Haven, Connecticut who has agreed to pay a $202,400 fine and complete 2-year corrective action plan after violating the HIPAA Privacy and Security Rules.  The 15th settlement of the year came as a result of HIPAA violation back in January 2017 that sounds almost like a TV drama. Back in 2017, the incident began when the New Haven Health Department notified the OCR that a former employee appeared to have accessed a file on a computer containing protected health information (PHI).  After some OCR sleuthing, it was revealed that 8 days after being fired in July 2016, the same employee returned to the health department and logged into her old computer with still-active credentials (we’re picturing her with a large hat, sunglasses and a trench coat) and downloaded the PHI of 498 individuals to a USB drive. The malicious download included patient names, addresses, and other personal medical information. And as if this really was a binge-worthy TV show (grab the popcorn) the former employee then shared her login ID and password with an intern – who continued to do the dirty work for her.  On top of the drama-filled breach, the OCR investigation also uncovered major gaps in the health department’s HIPAA program, including:  We’ve seen a number of recent HIPAA settlements centering around improper access, but in this case the unauthorized access came as a result of the New Haven Health Departments’ failure to have proper employee offboarding procedures. The simplest task of deactivating the employee’s login credentials could have saved the organization a huge chunk of change, and kept 498 patients’ information better protected.  You can never really predict when an employee will ‘go rogue’, and not having a termination system in place – or even just waiting a few days to disable access – can be a costly mistake. Having a comprehensive plan from an employee’s first day to their last is an important aspect of general operations, but especially your HIPAA compliance program. OCR Director Roger Severino said it best: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”  

Million Dollar HIPAA Settlement
Fines, HIPAA

OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Comments Off on OCR Announces $1,000,000 Settlement With Aetna for Multiple HIPAA breaches

October 28, 2020 Thought we’d be able to skate through the rest of October without another HIPAA fine? Not so fast. The Office for Civil Rights (OCR) just announced another $1,000,000 settlement to add to October’s tab, settling with Aetna on not one, not two, but three separate HIPAA violations.  Aetna Life Insurance Company, as well as the affiliated covered entity (Aetna), agreed to a million-dollar payout in addition to a two year corrective action plan as a result of multiple HIPAA incidents experienced back in 2017.  The first violation occurred in April 2017, after Aetna discovered that two web services used to display plan-related documents to their members did not have the necessary login protections and were accessible through regular internet search engines. Aetna’s report noted that the incident exposed the protected health information (PHI) of over 5,000 individuals.  Violation number two came just a few months later in July, when Aetna received complaints that sensitive health information was made visible through benefit notice mailers. The 11,887 affected individuals’ medication information could be seen through the window of the envelope below the member’s name and address, clearly exposing their PHI to anyone who happened across the mailings.  Last but not least, the third violation occurred in September 2017, after a similar mailer was sent to 1,600 individuals displaying the name and logo of a research study on atrial fibrillation (irregular heartbeat) that some members were participating in. Because the logo on the envelope clearly conveyed the type of study the recipients were a part of, it was automatically an impermissible disclosure of PHI. Three HIPAA violations in one year is already enough to get you on the OCR’s bad side, but after further investigation, they found other aspects of Aetna’s HIPAA compliance program missing, including:  2017 was certainly a bad year for Aetna, and 2020 has now been a very bad year for all covered entities – practices, insurance companies and business associates alike – without a complete HIPAA compliance program in place. This latest settlement brings this year’s total to a whopping $13,186,500 – almost a million dollars over last year’s total fines, with 2 months still left on the clock in 2020.  We know you’re sick of hearing us harp on the importance of being compliant before an incident happens (seriously, we’re turning into our own mothers) but in the OCR Director, Roger Severino’s own words, “Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million dollar settlement.” 

2020 HIPAA Fines
Fines, HIPAA

State HIPAA Fines Add to Growing 2020 Fine Totals

October 23, 2020 Comments Off on State HIPAA Fines Add to Growing 2020 Fine Totals

October 23, 2020 The Office for Civil Rights (OCR) has left practices taking hit after hit after hit when it comes to HIPAA fines this year, but two recent multi-state HIPAA fines have added just as many $$$ to this year’s enforcement totals. While the OCR certainly makes headlines, state enforcement and state-specific HIPAA regulations are just as important to adhere to as federal laws. In fact, depending on the incident and patients affected, many states require their attorney general be notified of a breach and have the option to pursue the HIPAA violation in addition to the investigation at the federal level.  Driving the point home for us, two healthcare organizations found themselves emptying their pockets for a second time in the past few weeks – agreeing to multi-million dollar settlements with multiple states for HIPAA violations already settled with the OCR. These fines are the latest in over $66 million collected by states as part of HIPAA enforcement actions.  Anthem, Inc.  The health insurance provider Anthem went one round with the HIPAA police in 2018, and suffered their first loss against the Office for Civil Rights (OCR) with a $16 million settlement relating to a breach that exposed almost 79 million patients records back in 2014. The results of round 2 have just come in, and it’s a K.O. – Anthem, Inc. has just settled with 43-states and California relating to the same HIPAA breach, with a whopping $48.2 million in total fines.  If you aren’t able to recite every HIPAA fine from memory (it’s ok, we’re probably the only ones that would win that trivia contest) the original incident resulted from a cyberattack that exposed almost 79 million individuals records. OCR investigation revealed Anthem was missing an enterprise-wide security risk analysis, various technical safeguards, and the proper response to suspected or known security incidents – resulting in the first place trophy for largest HIPAA settlement ever. Community Health System (CHS) Just last month, the OCR settled a $2.3 million fine with a business associate, Community Health System (CHS), who exposed 6.1 million patients records as a result of another 2014 cyber attack. While most of us wish we could fast forward to 2021 and escape 2020, we’re sure CHS probably feels that way more than anyone after the announcement of another $5 million added to their tab in a 28-state settlement of the same incident. These recent fines are starting to feel like deja-vu, so here’s more on the announcement to help jog your memory. Not surprisingly, in their investigation the OCR found CHS was missing a security risk analysis, had no proper security incident procedures in place, and failed to implement necessary access controls.   While the breaches themselves may be old news, the latest settlements are a fresh reminder of how healthcare practices must take notice of state HIPAA enforcement. Both state fines mentioned above, though split among all the states listed in each settlement, actually totalled more than the amount the OCR fined each organization.  Having a complete HIPAA compliance program with necessary safeguards in place will not only reduce your risk of being targeted by a hacker, as was the case in both these incidents, but will also keep your chances of federal and state-level fines to a minimum. Federal HIPAA requirements certainly put enough on your plate, but having a HIPAA partner that can provide all your state-specific HIPAA requirements for you makes complying that much easier – and helps avoid costly state audits. 

Information Blocking
Best Practices, HIPAA

What Does ‘Information Blocking’ Mean?

October 15, 2020 Comments Off on What Does ‘Information Blocking’ Mean?

October 15, 2020 If you’re at all familiar with the 21st Century Cures Act, you may have heard the term ‘information blocking’ tossed around. Even if you’re not, you may be familiar with the ongoing healthcare battle to prevent information blocking and more effectively share patient information. If you’re not familiar with any of these things…well…keep reading anyways, if you’re an independent practice we promise this is going to be increasingly important information to know.  A major goal of the Cures Act is to break down the barriers currently erected to interfere with, prevent, or discourage the access, exchange, or use of electronic Protected Health Information (ePHI) within the healthcare industry – otherwise known as information blocking. HIPAA outlines the specific ways information can be shared (and these rules still apply) but the statement of “sorry we can’t share that information because of HIPAA” is often applied incorrectly, and part of what the Cures Act hopes to correct. Deliberately blocking information that should be shared with patients and other appropriate covered entities, such as with Health Information Exchanges (HIE’s), can prevent or delay proper treatment and ultimately reduces the effectiveness of patient care. Before the Cures Act rules go into effect (November 2, 2020), organizations must reevaluate or remove any barriers currently in place that constitute information blocking. Not 100% what that really means? You aren’t alone, which is why the Office of the National Coordinator for Healthcare Technology (ONC) has created a helpful cheat sheet for what does and does not qualify as information blocking. There are some exceptions to what falls under the “information blocking” umbrella, including:  All of these exceptions are only permissible provided certain conditions are met. In general, think of information blocking as refusing to share data even when there is no reason not to – i.e., none of these exceptions or regular privacy concerns apply. Where it gets tricky is when information sharing might – though the situation makes it unclear – violate HIPAA compliance regulations (really violate them, not just as an excuse). It’s always helpful to ask the experts in these circumstances – such as your HIPAA compliance program provider (*cough cough*). 

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X