HIPAA

HIPAA Compliant Marketing for Healthcare Practices
Best Practices, HIPAA

HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Comments Off on HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing.  Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice:   Email Marketing  If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation:  Social Media  Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines:  Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.

Is My Telehealth Solution HIPAA Compliant?
Best Practices, HIPAA

Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Comments Off on Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Ever thought you’d be saying “What’s up Doc?” on a video chat from home? Telehealth has made remote visits a new reality – though not all telehealth providers have been created equal when it comes to being HIPAA compliant. Why is it important for telehealth to be compliant? 90% of healthcare executives have already or are planning to adopt telehealth services within their operations, and as remote patient care continues to explode in popularity so do the risks to compromising that patient information. Part of telehealth’s current popularity is due to COVID-19. To best meet the urgency  brought on by COVID-19, the Office for Civil Rights (OCR) provided an update to the provision of telehealth services allowing providers to use any form of non-public facing video communications with patients, even if they weren’t considered ‘HIPAA compliant.’ While this enforcement discretion is only temporary, we can predict that the general public will prefer to keep their distance and avoid face-to-face doctor visits if possible for the foreseeable future. In fact, a recent study found that 74% of Americans would be comfortable and willing to use telehealth services for their doctors appointments.    While COVID-19 has made a major impact on telehealth services, the ability to provide care remotely has been growing in popularity for several years. The value of telehealth goes beyond allowing for social distancing between patients and providers, including:  With all the benefits presented in utilizing telehealth services, there are also additional risks to be aware of. The following are some key recommendations for implementing telehealth in the most secure way possible:    The explosion of telehealth providers to meet the new demand after COVID-19 has seen some great – and some not so great – products within the telehealth market. If you are looking into adding a telehealth solution, be sure it is one that has proper safeguards and programming to prevent and contain possible cyber threats. An unsecured telehealth provider could make your patient data vulnerable – such as chatbot and telehealth startup Babylon Health, whose users found dozens of videos of other patients’ appointment consultations in their app due to a software glitch. While the issue was quickly corrected, implementing a non-compliant telehealth app creates a high risk for potentially compromising patient data. As the healthcare industry continues to implement technology solutions, it’s important to ensure that sensitive patient information remains safeguarded from additional risks that technology presents. Utilizing HIPAA compliant providers for telehealth and having the proper Business Associate Agreements in place are key to providing the most effective and protective services for your patients.

When Sharing PHI is HIPAA Approved
HIPAA

Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 Comments Off on Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 We get it, the struggle is real. The moans and groans with HIPAA always seem to get louder when medical practices are faced with figuring out to whom and how sensitive data can be shared. Contrary to what many believe, HIPAA is all about properly sharing protected health information (PHI) – not preventing it entirely. Sometimes, lacking confidence that internal policies are in alignment with best practices on sharing PHI securely can cause a practice to hesitate to (or altogether not) send PHI to other parties requesting it, including other providers. Unfortunately, not acting in a timely manner and failing to comply with the request to share PHI with another provider can be a costly one. Proper disclosure of PHI is highly regulated under HIPAA when it comes to sharing or receiving patient records from another practice, and there are consequences to both sharing too much information – or not enough. First, the HIPAA Privacy Rule does in fact permit a health care provider to share patient information for treatment and healthcare operation purposes without needing written patient authorization as long as the reasonable safeguards to protect the information are used. To clarify what the U.S. Department of Health and Human Services (HHS) considers as treatment and operation purposes, “Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”  Some key notes on sharing PHI between providers:  Additionally, if a patient is the one requesting their records to be sent to another provider: It’s time for providers to change their perspective on HIPAA – which is widely considered a restrictive set of laws and regulations. HIPAA is meant to be a guideline on how to securely and efficiently share sensitive and valuable data. Not a barrier or inhibitor as so many see it now. Being able to do so will have positive effects on the healthcare industry as a whole and improve patient care for years and years. Don’t let the unknowns of HIPAA keep data from those who have lawful access to them such as other providers or patients. If so, it is just as much of a HIPAA violation as sharing sensitive data with the wrong people.

State Laws vs HIPAA
HIPAA, Legislation

State Laws vs HIPAA – What You Need to Know

June 8, 2020 Comments Off on State Laws vs HIPAA – What You Need to Know

June 8, 2020 When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones.  It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include:  In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other:  Source: healthinfolaw.org As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up. We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you! While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!

What is a HIPAA Security Risk Analysis
Best Practices, HIPAA

So, What Exactly is a Security Risk Analysis?

June 2, 2020 Comments Off on So, What Exactly is a Security Risk Analysis?

June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice.  The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should:  Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on.  What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.

It’s Time to Trash Your HIPAA Binder
Best Practices, HIPAA

It’s Time to Trash Your HIPAA Binder

May 27, 2020 Comments Off on It’s Time to Trash Your HIPAA Binder

May 27, 2020 You can shred it, burn it, use it as a paperweight – we don’t really have a preference – but by all means, it’s time to move on from your out-dated physical HIPAA manual. When trying to comply with HIPAA regulations, it may seem counterintuitive to roast smores using documented privacy policies and procedures, but now is the perfect time to grab your massive HIPAA binder that hasn’t been touched in years and toss it out with yesterday’s newspaper. Technology has paved the way for increased efficiency within medical practices. The days of thumbing through filing cabinets have been relieved by databases providing instant access to everything your practice may need. This transformation provides countless benefits for both practices and patients, just as modernization has benefitted HIPAA regulations.  The medical industry, among others, continues to move towards more ‘paperless’ operations – including that bulky, cumbersome HIPAA manual most often left collecting dust in a closet within your practice. Despite these advances, many practices are still relying on a physical binder or other paper-based resource to keep track of their HIPAA compliance policies and procedures. In fact, many may still think that a paper manual is the only way to meet HIPAA requirements. While this would be a valid source of documentation should your practice ever experience a data breach or audit, HIPAA regulations don’t specify the need for a physical or paper copy of your documentation. In fact, there are many benefits to taking your stack of unused papers into the electronic realm. An electronic binder (especially one through a cloud-based software provider) offers a number of benefits, including: There is a lot that comes with maintaining HIPAA compliance – and the biggest hurdle many practices face is having the proper documentation of this culture of compliance. If your practice has put in the hard work to complete your risk analysis, documenting that work properly and in an accessible format is essential. In fact, 83% of practices that were audited by the OCR in 2019 did not have a properly documented security risk analysis. This is in part due to outdated paper policies that don’t fit the practice’s current structure or procedures. An electronic and continually updated HIPAA ‘binder’, in contrast, fulfills all HIPAA regulations and requirements around documentation. COVID-19 has had a large impact on HIPAA enforcement and regulations, and many practices have begun utilizing telehealth services as well as implemented new policies and procedures surrounding cybersecurity during newly remote operations. All of these changes and updates to your practice’s work with PHI, even if it’s just temporary, must be documented properly within your HIPAA manual. Having an electronic version of your manual means going in and updating with a few clicks of a button – saving your practice time (and paper) during an already turbulent time.  If your practice has always had a paper HIPAA binder, moving to an electronic manual that offers all of the above features may be easier said than done. That’s where a HIPAA compliance software solution, like Abyde, comes in to ensure your HIPAA program is up-to-date with any new changes regarding HIPAA or state-specific laws with dynamically generated policies and procedures built specifically for your practice – providing you much more than just an updated version of your HIPAA manual. If your practice has been stuck on paper, let us show you how going electronic can save you hours of HIPAA headaches.

Returning to Office Remote Healthcare Workers
HIPAA

We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Comments Off on We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Is working in your living room with your pets/kids/significant other driving you crazy yet? Us too – but here’s why a measured approach is important to returning back to the office 2020 has been anything but predictable and it’s hard to speculate exactly how life after COVID-19 is going to be – or how soon we’ll get to the point we can call ‘after’. Some healthcare practices along with other businesses have started reopening their doors but with how much has changed over the course of the past few months, it’s easy to find yourself wondering which way is up when it comes to easing back into life outside of the bubble we’ve been living in.  As many organizations transition back from working at the kitchen table in pajamas, the question of “is it safe to bring employees back into the office” is not taken lightly. Practicing social distancing, wearing protective face masks, and self-isolating, if you have any potential symptoms, are all preventative measures that we should anticipate continuing for the foreseeable future. If your practice is considering bringing employees back into an office environment to continue offering medical services, here’s are a few things to consider: 1. Limit Employee Risk in Returning to Work Healthcare personnel, whether they have been on the front lines during the pandemic or not, have been and will continue to be at risk for contracting or spreading the virus. The CDC issued several strategies on how healthcare providers can determine whether their staff members can safely return to work or not based on monitoring for symptoms over the recommended course of time along with COVID-19 tests.  Some businesses have discussed screening employees for the virus prior to returning to work to ultimately ensure a safer work environment, yet this concept must still take into consideration HIPAA privacy laws regarding testing results being released to businesses. In fact, the HIPAA Privacy Rule does allow for healthcare providers to disclose patient information to employers only if the patient gives written consent authorizing the release or if the testing falls under HIPAA’s workplace medical surveillance exception. If the employer pays for the testing they are eligible to receive information regarding when the testing occurred but, importantly, not the results of the test. Whether you decide to engage in testing or not, make sure that any PHI generated as a result of testing still follows HIPAA guidelines for privacy and security. 2. Prepare for Limited Waivers to Expire HIPAA has been a headlining topic throughout the pandemic as the CDC has been constantly updating regulations and enforcement discretions to best mitigate health risks to the public. Good faith provisions for disclosing PHI as well as limited waivers for telehealth usage were among the top changes to HIPAA, but as highly emphasized in each waiver, these discretions only remain in place for the duration of the public health emergency. It’s important for healthcare providers to continue to keep HIPAA compliance a priority especially as waivers begin to lift and to be fully prepared to return to normal enforcement. If your practice has been using telehealth to continue seeing patients, for example, and you might continue to use telehealth even after a return to ‘normal’ operations, it’s essential that you utilize a vendor who offers HIPAA compliant video communication services to do so, and that you get a proper Business Associate Agreement signed with your vendor.  3. Ensure Remote Data Collection is HIPAA-Compliant You are probably already aware that PHI cannot be sent simply in an email. As many practices have sought new ways to manage remote operations and limit physical interaction, the same encryption and security standards must be applied as your practice would use to send PHI even before COVID-19.  If your practice is considering collecting more patient information or insurance information electronically instead of a physical form or insurance card, make sure you are utilizing a secure system like a patient portal or encrypted email server to transfer any sensitive data.  4. Consider Reviewing Passwords and Security Processes Over the course of the pandemic, cyber-attacks have been a looming threat, especially to healthcare practices. While working from home played a large role in enabling hackers to access protected information through less-secure networks, it’s important to not lose sight of these concerns even when you go back to your office. Continuing to look out for common scams and knowing how to identify and respond to a potential threat will always be important to ensuring the security of your practice. Consider changing passwords or login information after returning to the office that may have been compromised during remote work, and update your security software to the best possible protection. Review the devices used for remote work to determine if any further action is needed to ensure proper security if still working in part remotely.    With everything that 2020 has thrown our way – being confident and prepared in your ability to get your practice back up and running in a safe and HIPAA compliant manner will make all of the difference in the transition – and help make the rest of the year a little less stressful than the start.

Who Qualifies as a Business Associate?
Business Associates, HIPAA

Who Qualifies as a Business Associate?

May 8, 2020 Comments Off on Who Qualifies as a Business Associate?

May 8, 2020 As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information. As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include: Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including: Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI.  Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders.  Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.

Patient Privacy During COVID-19
HIPAA

When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 Comments Off on When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave. In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media.  Some basic rules of thumb to know when facing a situation that might involve the media and patient information are:  In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan. Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change.  A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.

Common HIPAA Mistakes
HIPAA

Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020 Comments Off on Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020   Giving out protected health information (PHI) to everyone and anyone who inquires? Sure, we know most medical practices are wise enough to understand this would be a severe violation of HIPAA compliance laws. Most healthcare organizations may also know the importance of antivirus for computers, securing offsite data backups and other best practices for HIPAA but one area often overlooked is controlling the staff’s appropriate access to PHI and ePHI.  Knowing the ins-and-outs of what is considered ‘appropriate access’ to patient data – i.e., giving only access that is necessary for staff to complete job functions and not carte blanche access to your data – can be confusing. COVID-19 has made several HIPAA regulations even more complex with thousands of healthcare workers across the nation finding themselves transitioning to remote operations with reduced hours or even facing layoffs or furloughs. These operational changes have caused some additional confusion as to when a practice must change or limit employee access to PHI. Adding to the complexity is attempting to ensure all staff are following appropriate guidelines when remotely accessing ePHI. Due to knowledge and time constraints for most independent medical practices, this can be so daunting that it is largely ignored. Access to patient records by staff must be limited to authorized business purposes only, regardless of the setting. Essentially, the only time an employee should view PHI is when it is necessary to effectively perform their job duties or with written permission from a patient. Some of these purposes include: Accessing patient records for reasons other than those necessary to complete job responsibilities is not permitted (ever, COVID-19 or not) and is otherwise considered a violation of patient privacy. It is a requirement under HIPAA to maintain access logs for this very reason – to identify any inappropriate access to PHI. Appropriate access isn’t just a best practice, but a key part of the Privacy Rule under HIPAA and grounds for HIPAA fines if noncompliance is discovered. Recently, more than 50 employees at a hospital in Chicago were fired immediately after it was discovered that they inappropriately accessed and viewed the medical records of an actor who had been treated at the facility. Nearly 80% of healthcare executives say that employee security awareness is amongst their greatest concern – making it even more essential that staff members are properly trained on appropriate access policies.  If you’re currently working from your kitchen table in your pajamas (no judgment, us too) you may not be aware of the additional threat you now pose to the security of patient data. Remote work environments, while critical in today’s climate, introduce less secure home networks and fewer safeguards than you might find in your office. It becomes even more essential to mitigate new threats by ensuring your staff knows not only appropriate ways to access data but are only accessing the minimal amount of data necessary to complete their job responsibilities. You can read our recent article for additional tips on how to safeguard data while working remotely here.   Unfortunately, in the current economic climate, many healthcare organizations are resorting to furloughing staff. This can add unprecedented challenges for practices trying to control appropriate access to protected health information. Even if an employee will be returning to your practice, there should still be a process in place to limit their access to PHI while furloughed. Removing access can be done by revoking the employee’s login credentials to the practice’s EHR system, recollecting any key or keycard they were given, or other security measures deemed necessary to limit their exposure to sensitive patient data. It’s important to keep in mind that any access removed can be restored when furloughed employees are brought back, but limiting access temporarily will help prevent unauthorized disclosures. Other helpful tips to keep in mind with appropriate access are: Ensuring PHI is accessed only when necessary is essential to protect medical practices and patients. Just as a practice doesn’t share financial information with all staff, sensitive patient data should have similar appropriate restrictions. During this difficult time, it is all the more important to have proper access policies in place and guidelines to guarantee the safety and security of patient data. Whether at home accessing PHI in your PJ’s, or looking to the future when we’re all back in our offices once again, appropriate access is key to essential data privacy.

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X