HIPAA

Two Major HIPAA Fines
Fines, HIPAA

OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Comments Off on OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans.  Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs.  Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including:  Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.  

Requirements for HIPAA Training
Best Practices, HIPAA

Requirements for HIPAA Training

July 22, 2020 Comments Off on Requirements for HIPAA Training

July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice.   58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained?  All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.”  Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training?  HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained?  While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice.  How long must each training be?  There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees. 

Best Practices, HIPAA

My EHR system makes me HIPAA compliant, right?

July 16, 2020 Comments Off on My EHR system makes me HIPAA compliant, right?

July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends?  A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards  – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as:  While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within  Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation. 

HIPAA Compliant Marketing for Healthcare Practices
Best Practices, HIPAA

HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Comments Off on HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing.  Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice:   Email Marketing  If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation:  Social Media  Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines:  Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.

Is My Telehealth Solution HIPAA Compliant?
Best Practices, HIPAA

Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Comments Off on Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Ever thought you’d be saying “What’s up Doc?” on a video chat from home? Telehealth has made remote visits a new reality – though not all telehealth providers have been created equal when it comes to being HIPAA compliant. Why is it important for telehealth to be compliant? 90% of healthcare executives have already or are planning to adopt telehealth services within their operations, and as remote patient care continues to explode in popularity so do the risks to compromising that patient information. Part of telehealth’s current popularity is due to COVID-19. To best meet the urgency  brought on by COVID-19, the Office for Civil Rights (OCR) provided an update to the provision of telehealth services allowing providers to use any form of non-public facing video communications with patients, even if they weren’t considered ‘HIPAA compliant.’ While this enforcement discretion is only temporary, we can predict that the general public will prefer to keep their distance and avoid face-to-face doctor visits if possible for the foreseeable future. In fact, a recent study found that 74% of Americans would be comfortable and willing to use telehealth services for their doctors appointments.    While COVID-19 has made a major impact on telehealth services, the ability to provide care remotely has been growing in popularity for several years. The value of telehealth goes beyond allowing for social distancing between patients and providers, including:  With all the benefits presented in utilizing telehealth services, there are also additional risks to be aware of. The following are some key recommendations for implementing telehealth in the most secure way possible:    The explosion of telehealth providers to meet the new demand after COVID-19 has seen some great – and some not so great – products within the telehealth market. If you are looking into adding a telehealth solution, be sure it is one that has proper safeguards and programming to prevent and contain possible cyber threats. An unsecured telehealth provider could make your patient data vulnerable – such as chatbot and telehealth startup Babylon Health, whose users found dozens of videos of other patients’ appointment consultations in their app due to a software glitch. While the issue was quickly corrected, implementing a non-compliant telehealth app creates a high risk for potentially compromising patient data. As the healthcare industry continues to implement technology solutions, it’s important to ensure that sensitive patient information remains safeguarded from additional risks that technology presents. Utilizing HIPAA compliant providers for telehealth and having the proper Business Associate Agreements in place are key to providing the most effective and protective services for your patients.

When Sharing PHI is HIPAA Approved
HIPAA

Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 Comments Off on Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 We get it, the struggle is real. The moans and groans with HIPAA always seem to get louder when medical practices are faced with figuring out to whom and how sensitive data can be shared. Contrary to what many believe, HIPAA is all about properly sharing protected health information (PHI) – not preventing it entirely. Sometimes, lacking confidence that internal policies are in alignment with best practices on sharing PHI securely can cause a practice to hesitate to (or altogether not) send PHI to other parties requesting it, including other providers. Unfortunately, not acting in a timely manner and failing to comply with the request to share PHI with another provider can be a costly one. Proper disclosure of PHI is highly regulated under HIPAA when it comes to sharing or receiving patient records from another practice, and there are consequences to both sharing too much information – or not enough. First, the HIPAA Privacy Rule does in fact permit a health care provider to share patient information for treatment and healthcare operation purposes without needing written patient authorization as long as the reasonable safeguards to protect the information are used. To clarify what the U.S. Department of Health and Human Services (HHS) considers as treatment and operation purposes, “Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”  Some key notes on sharing PHI between providers:  Additionally, if a patient is the one requesting their records to be sent to another provider: It’s time for providers to change their perspective on HIPAA – which is widely considered a restrictive set of laws and regulations. HIPAA is meant to be a guideline on how to securely and efficiently share sensitive and valuable data. Not a barrier or inhibitor as so many see it now. Being able to do so will have positive effects on the healthcare industry as a whole and improve patient care for years and years. Don’t let the unknowns of HIPAA keep data from those who have lawful access to them such as other providers or patients. If so, it is just as much of a HIPAA violation as sharing sensitive data with the wrong people.

State Laws vs HIPAA
HIPAA, Legislation

State Laws vs HIPAA – What You Need to Know

June 8, 2020 Comments Off on State Laws vs HIPAA – What You Need to Know

June 8, 2020 When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones.  It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include:  In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other:  Source: healthinfolaw.org As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up. We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you! While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!

What is a HIPAA Security Risk Analysis
Best Practices, HIPAA

So, What Exactly is a Security Risk Analysis?

June 2, 2020 Comments Off on So, What Exactly is a Security Risk Analysis?

June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice.  The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should:  Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on.  What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.

It’s Time to Trash Your HIPAA Binder
Best Practices, HIPAA

It’s Time to Trash Your HIPAA Binder

May 27, 2020 Comments Off on It’s Time to Trash Your HIPAA Binder

May 27, 2020 You can shred it, burn it, use it as a paperweight – we don’t really have a preference – but by all means, it’s time to move on from your out-dated physical HIPAA manual. When trying to comply with HIPAA regulations, it may seem counterintuitive to roast smores using documented privacy policies and procedures, but now is the perfect time to grab your massive HIPAA binder that hasn’t been touched in years and toss it out with yesterday’s newspaper. Technology has paved the way for increased efficiency within medical practices. The days of thumbing through filing cabinets have been relieved by databases providing instant access to everything your practice may need. This transformation provides countless benefits for both practices and patients, just as modernization has benefitted HIPAA regulations.  The medical industry, among others, continues to move towards more ‘paperless’ operations – including that bulky, cumbersome HIPAA manual most often left collecting dust in a closet within your practice. Despite these advances, many practices are still relying on a physical binder or other paper-based resource to keep track of their HIPAA compliance policies and procedures. In fact, many may still think that a paper manual is the only way to meet HIPAA requirements. While this would be a valid source of documentation should your practice ever experience a data breach or audit, HIPAA regulations don’t specify the need for a physical or paper copy of your documentation. In fact, there are many benefits to taking your stack of unused papers into the electronic realm. An electronic binder (especially one through a cloud-based software provider) offers a number of benefits, including: There is a lot that comes with maintaining HIPAA compliance – and the biggest hurdle many practices face is having the proper documentation of this culture of compliance. If your practice has put in the hard work to complete your risk analysis, documenting that work properly and in an accessible format is essential. In fact, 83% of practices that were audited by the OCR in 2019 did not have a properly documented security risk analysis. This is in part due to outdated paper policies that don’t fit the practice’s current structure or procedures. An electronic and continually updated HIPAA ‘binder’, in contrast, fulfills all HIPAA regulations and requirements around documentation. COVID-19 has had a large impact on HIPAA enforcement and regulations, and many practices have begun utilizing telehealth services as well as implemented new policies and procedures surrounding cybersecurity during newly remote operations. All of these changes and updates to your practice’s work with PHI, even if it’s just temporary, must be documented properly within your HIPAA manual. Having an electronic version of your manual means going in and updating with a few clicks of a button – saving your practice time (and paper) during an already turbulent time.  If your practice has always had a paper HIPAA binder, moving to an electronic manual that offers all of the above features may be easier said than done. That’s where a HIPAA compliance software solution, like Abyde, comes in to ensure your HIPAA program is up-to-date with any new changes regarding HIPAA or state-specific laws with dynamically generated policies and procedures built specifically for your practice – providing you much more than just an updated version of your HIPAA manual. If your practice has been stuck on paper, let us show you how going electronic can save you hours of HIPAA headaches.

Returning to Office Remote Healthcare Workers
HIPAA

We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Comments Off on We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Is working in your living room with your pets/kids/significant other driving you crazy yet? Us too – but here’s why a measured approach is important to returning back to the office 2020 has been anything but predictable and it’s hard to speculate exactly how life after COVID-19 is going to be – or how soon we’ll get to the point we can call ‘after’. Some healthcare practices along with other businesses have started reopening their doors but with how much has changed over the course of the past few months, it’s easy to find yourself wondering which way is up when it comes to easing back into life outside of the bubble we’ve been living in.  As many organizations transition back from working at the kitchen table in pajamas, the question of “is it safe to bring employees back into the office” is not taken lightly. Practicing social distancing, wearing protective face masks, and self-isolating, if you have any potential symptoms, are all preventative measures that we should anticipate continuing for the foreseeable future. If your practice is considering bringing employees back into an office environment to continue offering medical services, here’s are a few things to consider: 1. Limit Employee Risk in Returning to Work Healthcare personnel, whether they have been on the front lines during the pandemic or not, have been and will continue to be at risk for contracting or spreading the virus. The CDC issued several strategies on how healthcare providers can determine whether their staff members can safely return to work or not based on monitoring for symptoms over the recommended course of time along with COVID-19 tests.  Some businesses have discussed screening employees for the virus prior to returning to work to ultimately ensure a safer work environment, yet this concept must still take into consideration HIPAA privacy laws regarding testing results being released to businesses. In fact, the HIPAA Privacy Rule does allow for healthcare providers to disclose patient information to employers only if the patient gives written consent authorizing the release or if the testing falls under HIPAA’s workplace medical surveillance exception. If the employer pays for the testing they are eligible to receive information regarding when the testing occurred but, importantly, not the results of the test. Whether you decide to engage in testing or not, make sure that any PHI generated as a result of testing still follows HIPAA guidelines for privacy and security. 2. Prepare for Limited Waivers to Expire HIPAA has been a headlining topic throughout the pandemic as the CDC has been constantly updating regulations and enforcement discretions to best mitigate health risks to the public. Good faith provisions for disclosing PHI as well as limited waivers for telehealth usage were among the top changes to HIPAA, but as highly emphasized in each waiver, these discretions only remain in place for the duration of the public health emergency. It’s important for healthcare providers to continue to keep HIPAA compliance a priority especially as waivers begin to lift and to be fully prepared to return to normal enforcement. If your practice has been using telehealth to continue seeing patients, for example, and you might continue to use telehealth even after a return to ‘normal’ operations, it’s essential that you utilize a vendor who offers HIPAA compliant video communication services to do so, and that you get a proper Business Associate Agreement signed with your vendor.  3. Ensure Remote Data Collection is HIPAA-Compliant You are probably already aware that PHI cannot be sent simply in an email. As many practices have sought new ways to manage remote operations and limit physical interaction, the same encryption and security standards must be applied as your practice would use to send PHI even before COVID-19.  If your practice is considering collecting more patient information or insurance information electronically instead of a physical form or insurance card, make sure you are utilizing a secure system like a patient portal or encrypted email server to transfer any sensitive data.  4. Consider Reviewing Passwords and Security Processes Over the course of the pandemic, cyber-attacks have been a looming threat, especially to healthcare practices. While working from home played a large role in enabling hackers to access protected information through less-secure networks, it’s important to not lose sight of these concerns even when you go back to your office. Continuing to look out for common scams and knowing how to identify and respond to a potential threat will always be important to ensuring the security of your practice. Consider changing passwords or login information after returning to the office that may have been compromised during remote work, and update your security software to the best possible protection. Review the devices used for remote work to determine if any further action is needed to ensure proper security if still working in part remotely.    With everything that 2020 has thrown our way – being confident and prepared in your ability to get your practice back up and running in a safe and HIPAA compliant manner will make all of the difference in the transition – and help make the rest of the year a little less stressful than the start.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X