HIPAA Archives

Compliance FAQs: Get Answers to Your Top HIPAA & OSHA Questions

January 7, 2021 Gaurav Modi Comments Off

March 11, 2024 Let’s be honest: compliance can be complicated. With all the regulations, sometimes it feels like you’re making mistakes you don’t even know. But with Abyde, it doesn’t have to be. We have an A-list Customer Success team, ready to answer your questions. This week, we’re rolling out the red carpet for these compliance experts We’re interviewing our CS celebs on the HIPAA and OSHA questions they receive the most. Read below to get the inside scoop on what you need to know for your practice. A child on a parent’s insurance just turned 18, while I know they have to sign consent forms, do the parents need consent to see or request their records? Sorry, new grown-ups! Parents do not need consent to see their child’s records, they can do so for the purposes of insurance, or payment. It has to be the minimum information shared. Oh no! An employee was poked with a contaminated needle and needs to be tested. Who is responsible for paying for the tests? The employer! It is the employer’s responsibility to take care of their employee in this situation. Whether it be through their insurance or Workers’ Compensation, or paying it directly, it is the employer’s responsibility. Why do I need a Business Associate Agreement, aren’t they already HIPAA compliant? First, Business Associate Agreements are a requirement of HIPAA, and outline the rights and responsibilities of a Business Associate (BA) and a Covered Entity’s (CE) partnership. The BA agreement keeps both parties on the same page and protects your practice if there is a breach on their end, having this documented expectation of a BA’s responsibilities. Why do I need to ask my employees if they’ve received their Hepatitis B vaccination? Well, if the employee has the potential to be exposed to Bloodborne Pathogens (BBP) or Other Potentially Infectious Materials (OPIM), the employer has to give them the option to be vaccinated. Depending on the state, your employees must be vaccinated against Hepatitis B. Do the doctors have to do HIPAA/OSHA Training? They own the practice. Yes, even if doctors own their practice, they still need to ensure compliance with HIPAA. All employees must complete training, even the owner of the practice. HIPAA regulations are designed to protect patients’ sensitive health information, regardless of whether the provider is part of a large institution or an independent practice. Therefore, doctors who own their practice must undergo HIPAA training to understand their responsibilities and ensure that their practice adheres to HIPAA regulations. Do I need to report my breach to the OCR? Just like a fender bender doesn’t require the same reporting as a 10-car pile-up, not all breaches need to be reported. For instance, breaches that affect 500 or more patients must be reported to the OCR. However, you will want to log ALL incidents in your Abyde Breach Log, even if OCR reporting isn’t necessary. As you can see, our compliance experts are here to clear up any compliance confusion for you. At Abyde, we want to simplify compliance for your practice or business, and our awesome CS team is a testament to that. To learn more about how Abyde is the solution for all of your compliance worries, email us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates.

Cybersecurity, HIPAA

Compliance and Security: A Match Made in HIPAA Heaven

December 29, 2020 Gaurav Modi Comments Off

December 29, 2020 Peanut butter and jelly, macaroni and cheese, rock and roll – there’s really no mistaking that some things are just better in pairs. While these might be the obvious examples to tag along with the old 80’s hit “It Takes Two to Make a Thing Go Right” there’s another dynamic duo that plays an important role in your practices’ daily operations: Compliance and Security. Compliance and security go hand-in-hand, making the perfect team when it comes to protecting patient data. But falling into the trap of thinking that achieving one means meeting the other can mean double trouble for your practice – so it’s important to understand the differences between the two and how to ensure you’re checking both off your list. What is compliance? Compliance is kind of like the bread and butter of your practice. It essentially focuses on the regulatory requirements involved in the protection of sensitive patient data – meaning that you not only have a secure technical environment but also have the know-how and documentation to prove it. Compliance is a comprehensive set of standards that practices must meet to avoid fines but should be viewed as more of a baseline when it comes to security, not the end all be all. Complying with HIPAA means meeting various requirements outlined in the HIPAA Security and Privacy Rule – but there’s more to the story when it comes to ensuring that patient data is fully protected. What is security? Security is the whole system of policies, processes, and technical controls specific to your practice. The goal of security is to ensure the best possible protection of the confidentiality, integrity, and availability of patient data – which in the age of technology means constantly updating to mitigate the risk of ever-changing threats. When we think of security we often think of locks on practice doors and passwords on computers but those safeguards only brush the surface of true security. Having the proper technical safeguards in place, and staying up to date on any new threats, such as the recent threat to Microsoft Exchange vulnerabilities knowing how to properly mitigate a potential threat, and staying educated are just some ways to meet your practice’s security needs. So, what’s the difference? While both are crucial in protecting patient data, security and compliance are not one and the same. The key distinction between the two is that compliance requirements are a bit more predictable whereas security standards are rapidly evolving with current risks and threats. This, unfortunately, means that even if you check off each of the compliance requirement boxes doesn’t exactly mean that your practice is 100% secure – which is why you are still at risk for a cyberattack even if you have a complete HIPAA compliance program in place. Why you need both! Just like Batman and Robin, when you put the two forces together – they’re pretty unstoppable. And with cyberattackers playing the role of the modern-day villain, establishing strong compliance AND security programs are the best, and perhaps the only way to ensure you’re taking every measure to protect patient data.

Fines, HIPAA

OCR Announces 13th Right of Access Fine, Drives Home Importance of Record Requests

December 22, 2020 Gaurav Modi Comments Off

December 22, 2020 The Office for Civil Rights (OCR) has been in the giving spirit the past few months, and they couldn’t close out 2020 without handing out at least one last holiday gift. We know there’s only 12 days of Christmas as the song goes – and we don’t think the OCR will be handing out lords-a-leaping or piper’s piping anytime soon – but there IS one more gift not mentioned in the classic song (at least the OCR 2020 edition): 13 patient right of access fines. The latest settlement adds to quite a historic year for HIPAA enforcement – and proves just how unprepared many practices have been when it comes to HIPAA compliance. This week’s extra gift went to Peter Wrobel, M.D whose practice Elite Primary Care out of Georgia found themselves doing a little extra holiday spending this year after settling with the OCR for $36,000. The settlement resolved a patient right of access complaint from April 2019, which took over a year to fully wrap (present-related pun intended). Here’s the highlights from this latest fine: Important notes for any covered entity? Make sure to provide records in a timely manner, AND in the way the patient requests them. Additionally, requests can be submitted in any form (verbal, written or otherwise) but documented, written requests are always key to best protecting your practice and meeting timeframe requirements. Take a minute to brush up on how to handle access requests if your practice needs a refresher. Taking over a year to get records access is already a bad call, but proposed changes to the HIPAA Privacy Rule will make the typical 30 day timeframe to provide records even shorter. When it comes to patients getting access to their own PHI, the OCR is serious about keeping covered entities of all sizes in line. While this may not have been the gift Elite Primary Care was wishing for this year, it did come with is some wise words of advice from OCR Director, Roger Severino: “OCR created the Right of Access Initiative to address the many instances where patients have not been given timely access to their medical records. Health care providers, large and small, must ensure that individuals get timely access to their health records, and for a reasonable cost-based fee.” We hope your practice gets a better gift this year than a hefty fine – but if you aren’t certain where you stand, get the gift of confidence in your HIPAA program by scheduling an educational webinar today!

Audits, HIPAA

Latest HIPAA Audit Industry Report

December 18, 2020 Gaurav Modi Comments Off

December 18, 2020 End of year report cards are in (or at least they are for covered entities) and the HIPAA compliance grades the Office for Civil Rights (OCR) & Department of Health and Human Services (HHS) just handed out are not ones to write home about. Just yesterday, the HHS released their latest HIPAA Audits Industry Report grading providers and business associates’ on their level of compliance with HIPAA regulations. The report evaluated audit results from 166 covered entities and 41 business associates, focusing specifically on compliance with the Notice of Privacy Practices, patient records access, breach notifications timeliness and content, the Security Risk Analysis, and appropriate risk management programs. While the full report is pretty lengthy, we’ve compiled some of the top takeaways from these latest results: So what does this data tell us? In some ways, nothing new – all of the areas audited have factored heavily into recent OCR enforcement activity, and highlight the same trends we’ve seen all year. If not part of recent enforcement, these areas factor into the recent proposal to modify the HIPAA Privacy Rule, including proposed adjustments to the Notice of Privacy Practices. “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in addition to the latest report, “we will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” What NEW information can we take away from these results? Organizations are STILL. NOT. COMPLIANT. Many of the covered entities or business associates audited produced what they thought was sufficient evidence, but did not meet actual HIPAA requirements. Some weren’t even close – when asked to produce an SRA, entities provided irrelevant documents like a patient’s insurance prescription coverage and rights; a document discussing pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page – none of which are even semi-related to an actual SRA. If your practice wants to get a slightly better HIPAA grade than the ones in this recent audit, ensuring you have the PROPER documentation in place, and meet ALL HIPAA requirements is key. If HIPAA isn’t your best subject, a software solution like Abyde is the tutor you’ve been needing to help walk you through the process to get an A+ (plus avoid hefty HIPAA fines, stress over your HIPAA program, and general unhappiness).

HIPAA, Legislation

HHS Proposes Changes to HIPAA Privacy Rule

December 11, 2020 Gaurav Modi Comments Off

December 11, 2020 When you thought of HIPAA, was the image that came to mind an old, never-changing and outdated law? If it was, the Department of Health & Human Services (HHS) just issued a wake-up call with a new Notice of Proposed Rulemaking (NPRM), announced yesterday, to make fresh new modifications to the HIPAA Privacy Rule. So what may be changing when it comes to HIPAA? The proposed modifications are designed to address barriers to value-based health care, particularly those that limit or discourage care coordination and case management communications, as well as amend provisions of the Privacy Rule that pose “unnecessary regulatory burdens” without sufficiently improving privacy protections. While the 357 page document contains a lot of information, a few highlights of the proposed changes include: There’s a lot to unpack within these proposed changes, but in general, the proposal helps to bring the HIPAA Privacy Rule up to date with current technology usage, in addition to expanding and emphasizing patient’s rights to view, receive, and handle their own PHI. While these rules are just a proposal, it’s highly likely that most of these changes will go into effect (or a similar version of them) once the proposal’s comment period ends. So when will you need to worry about these changes? Since the proposal’s announcement on December 10th, comments on the notice are due within 60 days. Once the comment period has ended and any changes are finalized, the effective date will be 60 days from the final publication. Your practice will still have a little breathing room, as covered entities would have 180 days from the effective date to update or implement policies to achieve compliance with these new or modified standards – essentially, you’ll have 240 days after the rule is finalized to comply. While complying with these proposed Privacy Rule changes won’t be necessary for quite a while, knowing what is coming and preparing your practice ahead of time is still key. If you don’t have a current compliance program in place that reflects the most recent industry threats and updates, consider throwing out what may be a very old HIPAA binder and seeking out a new solution that can help you dynamically update your policies as these changes go into effect next year.

Best Practices, HIPAA

Meeting December HIPAA Requirements: What Your HIPAA Program is Probably Missing

December 3, 2020 Gaurav Modi Comments Off

December 3, 2020 Who doesn’t love the whole “new year, new you” excitement but before you press fast forward on the month of December there’s a few key pieces of HIPAA you are probably missing – but can still catch up on before December 31 HIPAA deadlines hit. You may be thinking “I did my Security Risk Analysis, I’m good!” or even “we did training that one time, we’re fine!”. Don’t shoot the messenger, but there’s a LOT of other pieces that go into your HIPAA program besides annual HIPAA training and the Security Risk Analysis. Before you panic, you aren’t alone – on the latest round of OCR audits, they found that only 17% of practices had performed a Security Risk Analysis, and only 6% had a security risk management program (the documentation, policies, and additional HIPAA pieces required) in place. What do I need by December 31? So what do you actually need in place, and how do you get this new checklist completed before the end of the month? First, let’s cover what you need to have at a minimum: 1. Your Security Risk Analysis (SRA) We call this the first step in HIPAA compliance for a reason. The SRA sets the baseline for your practice by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Your SRA must be updated annually, and should be more than a generic checklist – it should cover all the aspects of your practice most at risk, and should provide you with actionable insights to your high, medium and low risk areas. 2. Annual HIPAA Training If your practice has the first requirement down, you may also have HIPAA training somewhere on your radar. Some practices either do training once, instead of annually as required, or fail to document training correctly. You should have a certificate or other record of completion for each staff member, dated within 2020, to meet this requirement. The easiest way to do HIPAA training? Using an automated system lets staff take training individually, without having to shut down your practice or hire an outside trainer for a day. 3. Documented Policies & Procedures This is where practices might start to miss the mark. You may have a few policies, or an older HIPAA manual perhaps, but documentation to the government standards is key to meeting this requirement. That means having updated, current and specific documentation that accurately reflects your practice operations today (instead of an outdated manual from 6 years ago) and touches on all HIPAA requirements – not just one or two areas. 4. Updated HIPAA Logs If you have all of the above (major kudos if you do), having the right logs of all HIPAA related access, assets and possible breaches is still a commonly missed area, and is key to documenting how your practice handled HIPAA incidents in the past year. All of these pieces should be completed on an annual basis, and tie into the many other requirements that go into a complete HIPAA program. How do I do it by the end of the year? If any of the above sound scary or completely left-field to you – don’t panic! Taking one piece at a time, starting with your SRA, will help you chip away at these requirements. Odds are you probably have a piece or two, but may be missing additional aspects of your HIPAA program. There’s a few ways you can tackle these requirements, including: No matter what you do, leaving HIPAA to the last minute may leave you in a bit of a time crunch, and failing to complete these requirements will leave your practice open to hefty fines. Thankfully, there is an easy solution that will check everything off your list with plenty of time left to enjoy the holidays instead of stressing about HIPAA! Schedule a quick consultation with a HIPAA expert and see where you might be missing the mark, and how Abyde could help you breeze through these requirements before December 31.

HIPAA, Legislation

HIPAA Building Blocks: The Privacy Rule

November 24, 2020 Gaurav Modi Comments Off

November 24, 2020 Implementing a complete HIPAA program is kind of like assembling a piece of furniture from IKEA – there’s lots of different pieces and little direction when putting it all together. Even if you’re a master IKEA-assembler, HIPAA is a whole extra level of confusion, and breaking it down into the basics can help make things a little less stressful. The first step in building a complete HIPAA compliance program is to start with the base – the HIPAA Security Rule. Once you have a sturdy foundation made up of all of the proper documentation and required safeguards, it’s onto step number two: otherwise known as the HIPAA Privacy Rule. Many of the nuts and bolts of HIPAA law are built into the HIPAA Privacy Rule, which provides strong privacy protections to safeguard sensitive patient information and ensure patients have proper access to their own medical records. Thanks to the Privacy Rule: Record access and privacy are the basic goals behind the Privacy Rule, but the second piece of the rule includes an extensive list of ongoing compliance requirements, such as: Just like opening up that new box from IKEA, taking on a complete HIPAA compliance program can feel overwhelming. However, Privacy Rule complaints continue to roll in to the Office for Civil Rights (OCR) and patient right of access violations have become an increasing point of OCR focus since 2019 – making compliance with the Privacy Rule a top HIPAA priority. Now unless you’re a DIY enthusiast, you might opt for new furniture that doesn’t come in a 1,000 different pieces. Choosing a pre-assembled option instead saves you time, energy, and headaches – and the same can be said of HIPAA. Choosing a HIPAA compliance software like Abyde lets you fill in a few quick areas to get your program up to speed, instead of having to build each piece from scratch. In less than an hour, and with far less headaches, you can get everything you need to be compliant, and so much more. The best part? There’s no need for an instruction manual – Abyde has real people ready and waiting to help walk you through the process and make sure you aren’t missing any important pieces (like finding that missing screw from step 7 on step 28) along the way.

HIPAA

What You Need to Know About HIPAA Patient Right of Access Laws

November 20, 2020 Gaurav Modi Comments Off

November 20, 2020 Wanna know the secret to avoiding patient complaints? Well, until we figure out the trick to making everyone happy (which is next to impossible) we can at least fill you in on the next best thing – how to avoid one of the main causes of patient complaints – improper patient record access. You might be thinking, how can providing patients access to something that’s already theirs be that hard? Yet more than half of practices still fail to comply with patient access laws, opening themselves up to complaints and ultimately HIPAA fines. In fact, the Office for Civil Rights (OCR) just recently announced the 12th settlement in their right of access enforcement initiative, further emphasizing the importance of providing proper access. The Boring Stuff: What is the Right of Access law? The HIPAA Patient Right of Access law was created to provide patients with a level of ownership over their own medical records. This means that patients are able to: What information can be provided to a patient? Does this mean that your practice has to go and round up every single one of Sally Smiths’ records when she asks for it? Not necessarily – when a patient asks for access to their records there is specific information that you are legally expected to provide which is referred to as the “designated record set” and includes: RELATED: Your Patient Requested Access to their Medical Records, Now What? Ok, so…what information shouldn’t be provided? Now before you go and slap a postage stamp (or hit send on that encrypted email) with the entire patient file, there is some information that can be left out of the designated record set. Any information that does not pertain to decisions made about the patient’s health directly does not have to be provided to patients such as: There’s a host of other requirements when providing patient records, and knowing what policies the Right of Access law includes is important to avoiding patient complaints about record requests. Unless you’re a professional people-pleaser, dealing with patient complaints is inevitable – but with HIPAA right of access enforcement continuing to ramp up, it’s an important topic to keep your practice up to speed on.

Fines, HIPAA

OCR Continues HIPAA Right of Access Fine Streak, Announces 12th Settlement

November 19, 2020 Gaurav Modi Comments Off

November 19, 2020 Reporting new HIPAA settlements has become a weekly routine this month (we’ve got our calendars marked for next week’s already), and after today’s announcement on the Office for Civil Rights (OCR) 12th right of access initiative settlement (the third in November), we now have enough patient right of access fines to last us a whole year. This week’s HIPAA headline goes to the University of Cincinnati Medical Center, LLC (UCMC), an academic medical center that provides healthcare services to the Greater Cincinnati Community. UCMC agreed to a $65,000 payout as well as a 2-year corrective action plan with the OCR to settle a violation of (you guessed it) the HIPAA right of access standard. The by-now familiar story began back in May of 2019, when the OCR received a complaint that UCMC failed to respond to a patient’s request that her electronic health records (EHR) be sent directly to her lawyers on February 22, 2019. After further investigation and a little push from the OCR, the medical center finally provided the requested records in August of that year. While we’ve seen more than a handful (2 handfuls plus two fingers to be exact) of patient right of access fines over the past year, this specific settlement is a great example of not only failing to provide patient records in a timely manner, but also in the proper format they were requested in. It is required under HIPAA law to be able to provide patients with a copy of their records in the format they request – either in paper or electronic form – as well as have the ability to transmit records directly to a third party if specified. If it isn’t possible to provide records the way a patient requests, the covered entity must agree to an alternative method with the requester. Emphasizing the importance of providing records in the format requested, OCR Director Roger Severino added that the “OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records.” Today’s settlement brings the running count of 2020 HIPAA fines to a total of $13,291,500 with 6 weeks still left in the year. If the weekly fine trend continues, we could expect at least 6 more HIPAA settlements and a whole lot of $$$ to come rolling in before 2020 finally ends. While we’re all looking forward to 2020 calling it quits, 6 more fines would blow 2019’s enforcement records out of the water. With annual HIPAA deadlines right around the corner and weekly examples of why you should ensure your practice is compliant, we couldn’t think of a better time to add HIPAA to the top of your to-do list!

Abyde News, HIPAA

HIPAA Building Blocks: The Security Rule

November 12, 2020 Gaurav Modi Comments Off

November 12, 2020 Even with a law as complex as HIPAA, there are a few building blocks that form the base of all HIPAA requirements. One of those blocks – often referred to as the first step in HIPAA compliance – is the Security Rule. Essentially, the Security Rule ensures protected health information (PHI) is only accessible to those who should have access. Think of it almost like a personal bodyguard there to protect your PHI. In this case, that ‘bodyguard’ is made up of specific safeguards – covering physical, administrative, and technical access – that ensure the protection and confidential handling of patient information. Administrative Safeguards Covering more than just paperwork (though, there is a lot of that), administrative safeguards include documentation of the actions, policies, and procedures used by your practice to protect PHI. These requirements cover: Physical Safeguards Beyond the obvious (we hope things like locking your doors are already in place), physical safeguards cover the measures taken to protect your information systems, physical infrastructure, and equipment from unauthorized access as well as natural hazards. Key requirements include: Technical Safeguards It’s impossible to avoid technology in the healthcare world today, and technical safeguards cover the ways your practice secures electronic protected health information (ePHI) and controls access to it. These requirements are a bit more difficult that simply installing antivirus software, and cover: These safeguards are just a few pieces of the HIPAA compliance puzzle, but can make or break a practice when it comes to HIPAA. Often, practices slapped with HIPAA fines are missing one (or in most cases, a lot) of these requirements that could have prevented HIPAA violations and better protected their patient data. So how do you start actually implementing all these requirements? There’s no easy instruction manual handy, but the next best thing is working with HIPAA experts that can not only assess where your program is at, but help guide you through recommended updates to fix any high risk areas. However you manage HIPAA, meeting the Security Rule requirements is just the first step – make sure you review your entire HIPAA program, not just one or two pieces, to be compliant.