HIPAA

Windows 7 HIPAA Risk
Cybersecurity, HIPAA

OCR Alert: Windows 7 a Growing Risk for Cyberattacks

August 13, 2020 Comments Off on OCR Alert: Windows 7 a Growing Risk for Cyberattacks

August 13, 2020 Have you updated your Microsoft Windows version recently? If your answer is no, then you might be at a greater risk of experiencing a cyberattack. The Office for Civil Rights (OCR) in partnership with the FBI sent out an alert just this morning regarding the increase in cyberthreats to outdated computer networks, specifically the Windows 7 operating system (OS).  Windows 7 went end of life (meaning it is no longer supported or patched by Microsoft) in January of this year. Because it is no longer monitored or supported, the OS is missing the necessary security updates to continuously protect against hackers. Utilizing the outdated system dramatically increases the risk of cyberattackers accessing your computer systems – including the sensitive patient data they house.  In their alert, the OCR expands on the various vulnerabilities that come from failing to safeguard your practice’s computer network by continuing to use Windows 7, including that: Other factors that increase the current risk include the shift to working remotely and the less secure network connections typically used at home. It is highly recommended to upgrade any outdated computer systems as soon as possible to reduce risk. In addition to updating your operating system, ensure your anti-virus and firewalls are all up to date to best protect your devices from outside threats.  While updating core operating software may mean additional costs and resources, the OCR emphasized the importance of following their recommendation in their alert, stating that, “these challenges do not outweigh the loss of intellectual property and threats to an organization.” While HIPAA does not specify a required operating system, meeting required technical safeguards does include keeping your systems secure and as protected as reasonably possible from cyber threats. In this case, that means having an active OS that is still receiving critical security updates. We highly recommend protecting your critical patient information and upgrading any systems necessary as soon as possible.  

Offboarding and HIPAA
Best Practices, HIPAA

Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Comments Off on Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time.  Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include:  You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.  

North Carolina Dental Society Partnership
Fines, HIPAA

Abyde Joins Forces With North Carolina Dental Society to Deliver HIPAA Compliance Solutions to Dental Practices

August 5, 2020 Comments Off on Abyde Joins Forces With North Carolina Dental Society to Deliver HIPAA Compliance Solutions to Dental Practices

August 5, 2020 August 5, 2020, Tampa, FL – Abyde, a user-friendly HIPAA compliance software solution for dental practices, today announced it has joined North Carolina Dental Society (NCDS) as an endorsed HIPAA compliance solution for North Carolina dentists. As HIPAA complaints and breach threats continue to rise in 2020, the need for practices to understand and implement HIPAA compliance programs is now more important than ever. Abyde’s collaboration with NCDS as an endorsed solution showcases collaborative efforts to help dental practices meet this need and to provide NCDS members with essential tools to realize HIPAA compliance on an ongoing basis. Abyde’s software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. Abyde’s revolutionary approach guides providers through mandatory HIPAA requirements such as the Security Risk Analysis, HIPAA training for doctors and staff, managing Business Associate Agreements, customized policies, and more. “Joining North Carolina Dental Society as an endorsed solution showcases the value and ease of use dental providers have found with Abyde, and our joint commitment to helping providers realize HIPAA compliance when they need it most,” said Matt DiBlasi, President of Abyde. “We are honored to be a part of North Carolina Dental Society’s select solutions and to play a role in educating and protecting their practices.” “The North Carolina Dental Society chose Abyde for its easy to use and comprehensive program for our members. We are pleased to have Abyde as an endorsed solution,” said Duncan Jennings, Managing Director of NC Services for Dentistry. “We research and endorse solutions allowing our members to focus on their patients in this changing healthcare landscape. Abyde will make identifying compliance opportunities, tracking results, and staying current simple.” About AbydeAbyde (Tampa, FL) is a technology company dedicated to revolutionizing HIPAA compliance for medical professionals. Launched in January 2017, Abyde was formed with the idea that there could exist an easier, more cost-effective way for healthcare providers to comply with government-mandated HIPAA regulations. For more information on Abyde visit abyde.com. About NCDSThe North Carolina Dental Society was founded in 1856 and remains one of the oldest dental societies in the country. Representing 3,900 member dentists across the state, our mission is to help all members succeed. The NC Dental Society is a part of the American Dental Association, the nation’s largest dental association, representing 163,000 member dentists, and the leading source of oral health information. For more information, visit https://www.ncdental.org. Read the full press release here.

COVID-19 Public Health Emergency Extension
Best Practices, HIPAA

HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 Comments Off on HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19.  As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.

Two Major HIPAA Fines
Fines, HIPAA

OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Comments Off on OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans.  Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs.  Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including:  Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.  

Requirements for HIPAA Training
Best Practices, HIPAA

Requirements for HIPAA Training

July 22, 2020 Comments Off on Requirements for HIPAA Training

July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice.   58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained?  All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.”  Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training?  HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained?  While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice.  How long must each training be?  There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees. 

Best Practices, HIPAA

My EHR system makes me HIPAA compliant, right?

July 16, 2020 Comments Off on My EHR system makes me HIPAA compliant, right?

July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends?  A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards  – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as:  While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within  Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation. 

HIPAA Compliant Marketing for Healthcare Practices
Best Practices, HIPAA

HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Comments Off on HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing.  Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice:   Email Marketing  If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation:  Social Media  Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines:  Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.

Is My Telehealth Solution HIPAA Compliant?
Best Practices, HIPAA

Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Comments Off on Is Your Telehealth Solution HIPAA Compliant?

July 2, 2020 Ever thought you’d be saying “What’s up Doc?” on a video chat from home? Telehealth has made remote visits a new reality – though not all telehealth providers have been created equal when it comes to being HIPAA compliant. Why is it important for telehealth to be compliant? 90% of healthcare executives have already or are planning to adopt telehealth services within their operations, and as remote patient care continues to explode in popularity so do the risks to compromising that patient information. Part of telehealth’s current popularity is due to COVID-19. To best meet the urgency  brought on by COVID-19, the Office for Civil Rights (OCR) provided an update to the provision of telehealth services allowing providers to use any form of non-public facing video communications with patients, even if they weren’t considered ‘HIPAA compliant.’ While this enforcement discretion is only temporary, we can predict that the general public will prefer to keep their distance and avoid face-to-face doctor visits if possible for the foreseeable future. In fact, a recent study found that 74% of Americans would be comfortable and willing to use telehealth services for their doctors appointments.    While COVID-19 has made a major impact on telehealth services, the ability to provide care remotely has been growing in popularity for several years. The value of telehealth goes beyond allowing for social distancing between patients and providers, including:  With all the benefits presented in utilizing telehealth services, there are also additional risks to be aware of. The following are some key recommendations for implementing telehealth in the most secure way possible:    The explosion of telehealth providers to meet the new demand after COVID-19 has seen some great – and some not so great – products within the telehealth market. If you are looking into adding a telehealth solution, be sure it is one that has proper safeguards and programming to prevent and contain possible cyber threats. An unsecured telehealth provider could make your patient data vulnerable – such as chatbot and telehealth startup Babylon Health, whose users found dozens of videos of other patients’ appointment consultations in their app due to a software glitch. While the issue was quickly corrected, implementing a non-compliant telehealth app creates a high risk for potentially compromising patient data. As the healthcare industry continues to implement technology solutions, it’s important to ensure that sensitive patient information remains safeguarded from additional risks that technology presents. Utilizing HIPAA compliant providers for telehealth and having the proper Business Associate Agreements in place are key to providing the most effective and protective services for your patients.

When Sharing PHI is HIPAA Approved
HIPAA

Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 Comments Off on Should I Share This? When Sharing PHI is HIPAA Approved

June 18, 2020 We get it, the struggle is real. The moans and groans with HIPAA always seem to get louder when medical practices are faced with figuring out to whom and how sensitive data can be shared. Contrary to what many believe, HIPAA is all about properly sharing protected health information (PHI) – not preventing it entirely. Sometimes, lacking confidence that internal policies are in alignment with best practices on sharing PHI securely can cause a practice to hesitate to (or altogether not) send PHI to other parties requesting it, including other providers. Unfortunately, not acting in a timely manner and failing to comply with the request to share PHI with another provider can be a costly one. Proper disclosure of PHI is highly regulated under HIPAA when it comes to sharing or receiving patient records from another practice, and there are consequences to both sharing too much information – or not enough. First, the HIPAA Privacy Rule does in fact permit a health care provider to share patient information for treatment and healthcare operation purposes without needing written patient authorization as long as the reasonable safeguards to protect the information are used. To clarify what the U.S. Department of Health and Human Services (HHS) considers as treatment and operation purposes, “Treatment means the provision, coordination, or management of healthcare and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”  Some key notes on sharing PHI between providers:  Additionally, if a patient is the one requesting their records to be sent to another provider: It’s time for providers to change their perspective on HIPAA – which is widely considered a restrictive set of laws and regulations. HIPAA is meant to be a guideline on how to securely and efficiently share sensitive and valuable data. Not a barrier or inhibitor as so many see it now. Being able to do so will have positive effects on the healthcare industry as a whole and improve patient care for years and years. Don’t let the unknowns of HIPAA keep data from those who have lawful access to them such as other providers or patients. If so, it is just as much of a HIPAA violation as sharing sensitive data with the wrong people.