September 9, 2020 HIPAA Settlements are more than just $$$ If you’re like most practices, you might just see $$$ when a HIPAA fine makes the news. And yeah – million dollar fines are no joke. But a HIPAA violation settlement is more than just a dollar sign, and often includes something called a ‘corrective action plan’. This corrective action plan, or CAP, is basically equivalent to ‘you messed up, here’s two years of administrative paperwork to fix your issues and think about what you’ve done.’ Yeah, you read that right – two years. If you thought paying a fine and putting it behind you was the extent of the bad news, we’re here to tell you why a CAP is just as important if slapped with a HIPAA violation. ALL the Paperwork The goal of a CAP is to correct the issues that caused the HIPAA violation in the first place. However, CAP requirements aren’t just a simple ‘do this next time’ and involve quite a bit of paperwork. Over the course of the designated time frame, one to typically two years, practices are required to: Lets face it, no one likes paperwork (even hearing that word makes us cringe). Having to complete what’s required in a CAP is often far more paperwork than maintaining a regular HIPAA compliance program would be – another reason to be compliant before an incident occurs. Even More Consequences Failing to complete a corrective action plan within the designated time frame can void the initial settlement and can leave a practice open to additional fines and penalties – yikes. It may just be paperwork, but the OCR takes it seriously, and leaves practice’s having to juggle a CAP on top of their already full plate of patient care, regular operations, and reputation management after landing in the news for a HIPAA violation. So, who doesn’t want to be stuck with a mound of paperwork and the OCR breathing down your neck? (We’re raising our hand – both hands actually.) Getting ahead of violations by completing the SRA and HIPAA program requirements before a breach, complaint or audit will save your practice the pain of a CAP and help avoid a violation in the first place. After all, if you have all the right policies, SRA, and risk management plan in place before a breach you’ve already got OCR requirements down – but with less time spent, on your own schedule, and without the OCR looking over your shoulder.
Top 4 HIPAA Violations Your Practice Should Avoid
September 4, 2020 Even with everything else going on in the world today, HIPAA violations are still making headlines. While these news stories reinforce that the Office for Civil Rights (OCR) hasn’t let up on HIPAA enforcement, they also provide great examples of what not to do when it comes to your own practice. Based on these violations and recent OCR investigation data, we’ve compiled the top four types of violations investigated by the OCR: 1. Impermissible Uses & Disclosures The reigning champion of HIPAA violations over the past 5 years – impermissible uses or disclosures – covers any access, use, or sharing of protected health information (PHI) that is done in a manner not permitted under HIPAA and compromises the security or privacy of a patient’s sensitive information. Common culprits include: Having the right policies in place outlining the proper ways staff may use and disclose PHI is key to ensuring your practice doesn’t join the growing list of improper use violators. 2. Missing Physical, Technical and Administrative Safeguards HIPAA law requires practices to implement safeguards to ensure PHI is protected and secured. These safeguards include: Failing to implement key safeguards is what gets practice’s into trouble, which is why it is essential to perform in-depth as well as ongoing Security Risk Analyses in order to properly identify which safeguards are missing 3. Improper Access Your data library shouldn’t be fair game to every employee regardless of their role. Even if just glancing at a patient’s information, any access to patient information that is not necessary to complete a specific job function is a violation of HIPAA. With remote work becoming more and more common, we can expect improper access violations to rise as employees use data in less secure environments and with less supervision than there would be in a typical practice setting. Appropriate access is featured heavily in HIPAA, and it’s important to limit and document your access roles. It’s not just internal access to PHI that can get your practice into trouble. There are specific guidelines for providing patients with medical records as well, and while this may seem straightforward 51% of providers fail to comply with HIPAA Right of Access laws. Understanding what Patient Right of Access laws entail is important to keeping your patients happy and avoiding a problem with the OCR. 4. Violations of Minimum Necessary Requirement Less is more when it comes to sensitive health information. Only the minimum information necessary should be provided when PHI is requested, accessed, or disclosed. Violations of this requirement could include providing additional information such as previous medical conditions that may not pertain to the actual purpose of the task at hand. Having proper training and documented policies in place that define what information is considered necessary is an essential piece to protecting your patient’s information and steering clear of a HIPAA violation. A Violation is Just a Slap on the Wrist, Right? While a violation in any of these areas could be minor, a HIPAA violation fine ranges anywhere from a few hundred to a million dollars based on various factors such as: The biggest fine so far? $16 million in a single settlement. Monetary fines aren’t the only thing you have to worry about if you find yourself facing a HIPAA violation. Jail time and extensive corrective action plans involving extra oversight and administrative work are real possibilities if a violation is found. So How Can You Best Avoid a HIPAA Violation? Many HIPAA violations can be attributed to a lack of employee education on what’s required under federal law. Violations aren’t usually intentional or malicious, which is why it’s so important to create a culture of compliance within your organization and promote good habits. Keeping up with your HIPAA compliance program and staying updated on any changes to federal regulations is the best way to keep your patients’ information secure and avoid ending up as another HIPAA headline.
Disposing of PHI: Why, What and How
August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of? Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network). RELATED: So You Have PHI to Dispose of – Now What? What is considered proper digital data disposal? Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored. Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.
OCR Highlights Asset Log as Key HIPAA Recommendation
August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements. What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information: Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations. No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.
Properly Encrypting ePHI: What Your Practice Should Know
August 20, 2020 Even before COVID-19, electronic solutions were transforming the way practices work and communicate with patients and other providers. As technology continues to evolve within the healthcare industry, it’s important to understand how to properly secure sensitive protected health information (PHI) when stored or transmitted. What does encryption actually mean? Protecting patient data from cyberthreats goes beyond having appropriate passwords. It means having the right technical safeguards in place including properly encrypting any PHI created, stored, sent, or received by your practice. So what exactly is encryption? Encryption means that content containing sensitive data is made unreadable for anyone except those authorized to view the information. This process essentially uses a software or algorithm to ‘lock’ the data or written text and requires an encryption key to make the information decipherable again. What should be encrypted? So what should be encrypted? Simply put, the answer to this question is pretty much anything containing PHI. This includes data that is being sent to someone else such as a patient, business associate, or another provider. Examples of this include: Why does encryption matter? For a typical practice, your EHR system is likely already encrypted – but your EHR isn’t all that matters. All other laptops, external hard drives, servers, and communication systems are at high risk if they are not also properly encrypted to protect from cyberthreats. In fact, failing to encrypt devices has been the cause of various HIPAA violations. Recently, a covered entity in Rhode Island faced a $1,040,000 fine from the OCR on top of a 2 year corrective action plan. The violation resulted from a stolen unencrypted laptop, leading to over 20,000 patients data being exposed. Part of the reason for the hefty fine was the organization’s “systemic non-compliance” when it came to proper encryption of devices. The entire incident could have been avoided if the entity had the proper technical safeguards in place. With cybersecurity threats on the rise and electronic communication becoming more commonplace, it’s all the more important to ensure the protection of your patients’ information. Implementing encryption services is a great way to best protect your practice and prevent HIPAA violations. If using an external vendor for encryption, make sure to have the appropriate business associate agreement in place as well.
Top 6 Ways to Be Prepared for a HIPAA Audit
August 14, 2020 Let’s be real – there’s probably a few things in life we all have an“Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits – yet HIPAA investigations are becoming more common than you might think. While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints- none of which a medical practice is immune to. Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top 6 things you should have in place BEFORE a breach, complaint or audit investigation occurs: 1. Security Risk Analysis The first thing the OCR looks for upon investigation is a properly documented and up to date Security Risk Analysis (SRA). This shows that you’ve assessed your practice operations and identified any vulnerabilities – BEFORE an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement. 2. Practice-Specific Policies & Procedures Proper documentation is key for all aspects of your compliance program including your practice specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 3. Disaster Recovery Plan Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail. 4. Implement Proper Administrative, Technical and Physical Safeguards Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements – and ultimately protecting your patients. 5. Staff HIPAA Training Properly train your workforce on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations. 6. Business Associate Agreements It’s important to be on the same page with everyone that has access to your patient’s secure information. Implementing the proper business associate agreements (BAAs) with all third party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach. There’s a lot that goes into your HIPAA program, even more than the top 6 items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patient’s data.
OCR Alert: Windows 7 a Growing Risk for Cyberattacks
August 13, 2020 Have you updated your Microsoft Windows version recently? If your answer is no, then you might be at a greater risk of experiencing a cyberattack. The Office for Civil Rights (OCR) in partnership with the FBI sent out an alert just this morning regarding the increase in cyberthreats to outdated computer networks, specifically the Windows 7 operating system (OS). Windows 7 went end of life (meaning it is no longer supported or patched by Microsoft) in January of this year. Because it is no longer monitored or supported, the OS is missing the necessary security updates to continuously protect against hackers. Utilizing the outdated system dramatically increases the risk of cyberattackers accessing your computer systems – including the sensitive patient data they house. In their alert, the OCR expands on the various vulnerabilities that come from failing to safeguard your practice’s computer network by continuing to use Windows 7, including that: Other factors that increase the current risk include the shift to working remotely and the less secure network connections typically used at home. It is highly recommended to upgrade any outdated computer systems as soon as possible to reduce risk. In addition to updating your operating system, ensure your anti-virus and firewalls are all up to date to best protect your devices from outside threats. While updating core operating software may mean additional costs and resources, the OCR emphasized the importance of following their recommendation in their alert, stating that, “these challenges do not outweigh the loss of intellectual property and threats to an organization.” While HIPAA does not specify a required operating system, meeting required technical safeguards does include keeping your systems secure and as protected as reasonably possible from cyber threats. In this case, that means having an active OS that is still receiving critical security updates. We highly recommend protecting your critical patient information and upgrading any systems necessary as soon as possible.
Recently Offboarded Staff? Don’t Forget About HIPAA Requirements
August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time. Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include: You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.
Abyde Joins Forces With North Carolina Dental Society to Deliver HIPAA Compliance Solutions to Dental Practices
August 5, 2020 August 5, 2020, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for dental practices, today announced it has joined North Carolina Dental Society (NCDS) as an endorsed HIPAA compliance solution for North Carolina dentists. As HIPAA complaints and breach threats continue to rise in 2020, the need for practices to understand and implement HIPAA compliance programs is now more important than ever. Abyde’s collaboration with NCDS as an endorsed solution showcases collaborative efforts to help dental practices meet this need and to provide NCDS members with essential tools to realize HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies, and more. “Joining North Carolina Dental Society as an endorsed solution showcases the value and ease of use dental providers have found with Abyde, and our joint commitment to helping providers realize HIPAA compliance when they need it most,” said Matt DiBlasi, President of Abyde. “We are honored to be a part of North Carolina Dental Society’s select solutions and to play a role in educating and protecting their practices.” “The North Carolina Dental Society chose Abyde for its easy to use and comprehensive program for our members. We are pleased to have Abyde as an endorsed solution,” said Duncan Jennings, Managing Director of NC Services for Dentistry. “We research and endorse solutions allowing our members to focus on their patients in this changing healthcare landscape. Abyde will make identifying compliance opportunities, tracking results, and staying current simple.” About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About NCDSThe North Carolina Dental Society was founded in 1856 and remains one of the oldest dental societies in the country. Representing 3,900 member dentists across the state, our mission is to help all members succeed. The NC Dental Society is a part of the American Dental Association, the nation’s largest dental association, representing 163,000 member dentists, and the leading source of oral health information. For more information, visit https://www.ncdental.org. Read the full press release here.
HHS Extends National Public Health Emergency & Limited HIPAA Waivers
July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19. As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.