HIPAA

Who Qualifies as a Business Associate?
Business Associates, HIPAA

Who Qualifies as a Business Associate?

May 8, 2020 Comments Off on Who Qualifies as a Business Associate?

May 8, 2020 As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information. As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include: Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including: Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI.  Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders.  Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.

Patient Privacy During COVID-19
HIPAA

When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 Comments Off on When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave. In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media.  Some basic rules of thumb to know when facing a situation that might involve the media and patient information are:  In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan. Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change.  A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.

Common HIPAA Mistakes
HIPAA

Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020 Comments Off on Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020   Giving out protected health information (PHI) to everyone and anyone who inquires? Sure, we know most medical practices are wise enough to understand this would be a severe violation of HIPAA compliance laws. Most healthcare organizations may also know the importance of antivirus for computers, securing offsite data backups and other best practices for HIPAA but one area often overlooked is controlling the staff’s appropriate access to PHI and ePHI.  Knowing the ins-and-outs of what is considered ‘appropriate access’ to patient data – i.e., giving only access that is necessary for staff to complete job functions and not carte blanche access to your data – can be confusing. COVID-19 has made several HIPAA regulations even more complex with thousands of healthcare workers across the nation finding themselves transitioning to remote operations with reduced hours or even facing layoffs or furloughs. These operational changes have caused some additional confusion as to when a practice must change or limit employee access to PHI. Adding to the complexity is attempting to ensure all staff are following appropriate guidelines when remotely accessing ePHI. Due to knowledge and time constraints for most independent medical practices, this can be so daunting that it is largely ignored. Access to patient records by staff must be limited to authorized business purposes only, regardless of the setting. Essentially, the only time an employee should view PHI is when it is necessary to effectively perform their job duties or with written permission from a patient. Some of these purposes include: Accessing patient records for reasons other than those necessary to complete job responsibilities is not permitted (ever, COVID-19 or not) and is otherwise considered a violation of patient privacy. It is a requirement under HIPAA to maintain access logs for this very reason – to identify any inappropriate access to PHI. Appropriate access isn’t just a best practice, but a key part of the Privacy Rule under HIPAA and grounds for HIPAA fines if noncompliance is discovered. Recently, more than 50 employees at a hospital in Chicago were fired immediately after it was discovered that they inappropriately accessed and viewed the medical records of an actor who had been treated at the facility. Nearly 80% of healthcare executives say that employee security awareness is amongst their greatest concern – making it even more essential that staff members are properly trained on appropriate access policies.  If you’re currently working from your kitchen table in your pajamas (no judgment, us too) you may not be aware of the additional threat you now pose to the security of patient data. Remote work environments, while critical in today’s climate, introduce less secure home networks and fewer safeguards than you might find in your office. It becomes even more essential to mitigate new threats by ensuring your staff knows not only appropriate ways to access data but are only accessing the minimal amount of data necessary to complete their job responsibilities. You can read our recent article for additional tips on how to safeguard data while working remotely here.   Unfortunately, in the current economic climate, many healthcare organizations are resorting to furloughing staff. This can add unprecedented challenges for practices trying to control appropriate access to protected health information. Even if an employee will be returning to your practice, there should still be a process in place to limit their access to PHI while furloughed. Removing access can be done by revoking the employee’s login credentials to the practice’s EHR system, recollecting any key or keycard they were given, or other security measures deemed necessary to limit their exposure to sensitive patient data. It’s important to keep in mind that any access removed can be restored when furloughed employees are brought back, but limiting access temporarily will help prevent unauthorized disclosures. Other helpful tips to keep in mind with appropriate access are: Ensuring PHI is accessed only when necessary is essential to protect medical practices and patients. Just as a practice doesn’t share financial information with all staff, sensitive patient data should have similar appropriate restrictions. During this difficult time, it is all the more important to have proper access policies in place and guidelines to guarantee the safety and security of patient data. Whether at home accessing PHI in your PJ’s, or looking to the future when we’re all back in our offices once again, appropriate access is key to essential data privacy.

Prioritize Your Practice’s Disaster Recovery Plan
Best Practices, HIPAA

Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Comments Off on Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Having a documented disaster recovery plan is incredibly important for healthcare practices to implement in preparation for a data breach, cyber-attack, or a public health emergency like COVID-19. A disaster can be defined as any event that compromises an organization’s operations, data, and network – and due to the current increase in cyber attacks during COVID-19, ensuring your practice is well-prepared for any disaster with a proper contingency plan is all the more important.  You know what they say: always plan for the worst, and hope for the best. We’d like to hope your practice never has to put your disaster recovery plan into action, but it’s better to be safe than sorry especially since it’s required by HIPAA law. The HIPAA security rule states that all healthcare practices must have a contingency plan in place to define the responsibilities of all staff members and overall practice procedures to restore IT systems that contain PHI in case of any disruptive event. The requirements within a disaster recovery plan can seem a little daunting, which is part of the reason why it’s essential to have your procedures in place before a disaster happens. Now let’s break down what exactly you need for your contingency plan:  When it comes to your practice’s disaster recovery plan, having everything properly documented and planned ahead of time will make all the difference in your ability to restore data and respond to an emergency correctly.  If your practice hasn’t created the right disaster recovery plan prior to a threat or event occurring, it’s always a good idea to immediately document and identify how your practice will respond as quickly as possible. Even if you already had a documented disaster recovery plan, when an event does occur it is a great opportunity to revisit your existing plan and adjust any needed areas to be as accurate as possible. Felling a bit overwhelmed? We have some good news for you. Abyde’s comprehensive solution will take the guesswork out of knowing if your practice is prepared. From documenting your risk assessment to generating policies and procedures specific to your practice, to a support team ready to assist you in the event of a disaster, if using Abyde, implementing your practice’s recovery plan won’t be stressful or time-consuming!

HIPAA for Business Associates Checklist
Best Practices, Cybersecurity, HIPAA

Technical Safeguards for Cybersecurity

April 10, 2020 Comments Off on Technical Safeguards for Cybersecurity

April 10, 2020 HIPAA has been around for quite a while – since 1996, in fact – and part of HIPAA law has always included required safeguards to secure all aspects of a medical practice’s protected information. With the rapid adoption of technology within the healthcare industry, technical safeguards included in HIPAA law are some of the most important for practices of all sizes to implement. Technology has enabled businesses in the healthcare industry to move operations offsite. In light of the current public health emergency, allowing for access to all essential data without having to step foot into the office is vital to ensuring practices are ready to see patients after the social distancing rules are relaxed. While these advancements simplify and enhance your business operations, they have made a hacker’s job that much easier as well. Technical safeguards are the documented strategies and solutions that practices implement to secure electronic protected health information and control access to it. These include:  When it comes to the question of which data actually needs to be safeguarded, the answer is pretty much all of it. Any data that is accessed by, sent to or received from other practices or authorized vendors need to be protected as well as any data that has traceable identification that can be linked to a patient. This sensitive data must be encrypted prior to sending or receiving. Encrypting data may seem like a daunting task, but at a basic level, it just means making PHI unreadable to anyone other than the intended parties. Recent Cyber Threats Tied to COVID-19 While ensuring your practice is prepared for a cyber attack is always important, cyber threats have been headlining the news a lot lately along with the current COVID-19 health emergency. Hackers are taking advantage of this time of increased public vulnerability as well as increased use of technology from unsecured networks while many people are working from home. Read up on common tactics utilized in these threats in our recent article. Over the past few weeks, including just yesterday, multiple government agencies have issued warnings regarding recent threats to cybersecurity. These attacks range from individuals posing as government officials seeking access to PHI to other various phishing and malware distribution schemes utilizing the current concern and fear around COVID-19 as hackers ticket into your sensitive data.  Further guidance can be found in the public service announcement released by the FBI and yesterday’s bulletin from the CISA. Hackers aren’t just attempting to play the roles of OCR investigators, or focusing on sending you phishing emails – now your video-teleconferences are at risk too. Video chat apps have become increasingly popular whether it’s for telehealth appointments, office meetings, , or even just virtual happy hours with friends – it’s the best way to stay connected during this time of social distancing. Unfortunately, this added reliance on technology is just another way for scammers to attack. The FBI released additional guidance on defending against Video-teleconferencing (VTC) hijacking and “Zoom-bombing” which refers to attacks directly on the increasingly popular Zoom platform. Some noteworthy tips from this guidance include making sure your virtual meetings are private by requiring a password to gain access. Keeping these meetings private means keeping them off social media or other public-facing platforms so only provide meeting links directly to the individuals you want to be included. These attacks on video chatting software are especially important for medical practices to be aware of as just a few weeks ago the OCR updated their telehealth service regulations allowing doctors to use various communication apps to diagnose and treat patients while maintaining a safe distance.  Practicing Good Cyber Hygiene When it comes to cybersecurity, it’s important to know what to look out for, how to report any potential threats, and most importantly how to keep your practice and your patient data safe. Just yesterday, CISA, the United States Department of Homeland Security (DHS), and the United Kingdom National Cyber Security Centre (NCSC) issued a joint release featuring additional guidance on how to spot potential threats. Important tips for safeguarding your practice’s security during this time of increased risk include: There’s a lot of good ‘cyber hygiene’ out there, but here are a few top tips to keep your practice operations clean: If you have questions about technical safeguard requirements, Abyde has a team of HIPAA compliance experts ready and willing to help navigate your practice through these recent changes. If your practice is interested in learning more, sign up for one of our complimentary HIPAA compliance webinars where we’ll discuss HIPAA & COVID-19 from the comfort of your current remote work location.  

HIPAA During COVID-19
HIPAA, Legislation

Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 Comments Off on Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 The Office for Civil Rights (OCR) has been very active this past month, going above and beyond to help mitigate the risk COVID-19 poses to public health privacy. Certain HIPAA regulations were updated in March to allow for health care practices to better work with patients in need of healthcare services as well as providing guidance on how to best disclose PHI without risk of a data breach. In their latest announcement, the Office for Civil Rights has extended the same enforcement discretion to Business Associates. When it comes to Business Associates handling PHI, there are obviously strict limitations to follow for the sake of still maintaining patient privacy. As clearly stated in the recent OCR bulletin, business associates are expected to follow the same guidance provided for health care providers when accessing or disclosing PHI during a public health emergency.  Previously, these disclosure permissions were only allowed if expressly stated within the Business Associate Agreement with the BA’s covered entity. In light of the current situation, there is a greater need to easily provide public health authorities and emergency operation centers with access to COVID-19 related PHI and this bulletin reinforces the Business Associates’ ability to share that information securely. Violations of certain provisions of the HIPAA Privacy Rule will not be imposed during this time, if and only if: While this notice provides business associates with greater flexibility than some Business Associate Agreements allow for, that doesn’t mean that BAAs no longer matter. It should be noted the relaxation of enforcement does not extend to any other requirements under HIPAA law, and business associates will still be held liable for any violations outside of this circumstance – provided of course a BAA is in place.  As a reminder, a Business Associate Agreement allows the covered entity to obtain “satisfactory assurances”  that the business associate will “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” This definition, straight from the HHS website, encompasses the need for BA’s to agree in writing to the same standards the covered entity is held to. A BAA must be completed with any vendor or organization the practice sends or receives any piece of PHI from. Without a proper agreement in place, the liability of this security breach will fall on the healthcare provider.   Contrary to what most might think, HIPAA really is here to help encourage providing access to and sharing of PHI as long as it is done in the right ways and for the right reasons. OCR Director Roger Severino makes this abundantly clear in his statement following the updated bulletin stating, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”  This latest bulletin is just additional proof that HIPAA compliance is of the utmost importance during the COVID-19 public health emergency. All eyes right now are on data being shared between multiple government agencies like the HHS, CDC and even the White House. With secure and efficient access to real-time data, those organizations will be enabled to make educated decisions on how to best interpret and utilize the sensitive data received and, in turn, secure the well being of the public at large. We find it extremely comforting to know that by following the OCR’s recent HIPAA guidance, providers and business associates alike can play their part in stopping the spread of COVID-19.

HIPAA and COVID-19
HIPAA

March Recap: HIPAA Was Made for This

April 2, 2020 Comments Off on March Recap: HIPAA Was Made for This

April 2, 2020 We know times are a little turbulent right now. Way of life in America looks a lot different at the end of March than it did at the beginning of the month. Most of us are now working from home, cleaning and washing our hands more than ever before and worrying about when stores will finally restock on toilet paper. And like many of us, healthcare professionals across the United States have been following the growing number of COVID-19 cases with great concern. It’s a looming reality that some have even been in contact with patients who have tested positive for the Coronavirus. However, when it comes to sharing sensitive medical information, there are many misconceptions that paint HIPAA laws in such a way that make it appear as if it is an obstacle rather than what HIPAA is intended to promote – which is the allowance of protected health information to be shared securely, efficiently and with the right people. What so many don’t understand is that HIPAA rules and regulations identify the right ways and the wrong ways of making sensitive information accessible – especially in times of crisis.  Even during a public health emergency, HIPAA still applies – in fact, HIPAA law has included specific ways where PHI can be shared in a health emergency pretty much since its inception. These regulations include an expanded ability to share PHI with those directly working on the public health threat, but still prohibit disclosures that are not secure such as those to the public at large.  A great example of this is the recent news headlines featuring the names of well-known public figures testing positive. These individuals chose to share their diagnosis and spread awareness, but if diagnoses are made public without the required patient consent – like what happened to a Detroit Pistons player whose positive test made headlines before he had a chance to tell his own mother – HIPAA laws have been violated. Media leaks are common, but sensitive health information should be handled with extreme care. HIPAA was built to mitigate public risk during a health emergency while still maintaining the privacy that all individuals deserve. Despite what you may have heard, HIPAA doesn’t make it impossible for you to know whether you’ve been in contact with an infected person – it just regulates the type of information that is shared. With misinformation and public anxiety swirling, read up on our simplified guidance on handling HIPAA during a public health emergency to learn more. The OCR has also released several bulletins serving as both updates and reminders on HIPAA regulations to best meet the current needs of patient privacy.  To make things a little easier, here’s a quick summary on recent bulletins regarding COVID-19: With the constant news stories and anxiety around COVID-19, we know it can be tough to keep up with HIPAA on top of everything else. Yet as with any health-related event, HIPAA is key to protecting patients’ privacy and preventing other threats to patient data & security. In short, HIPAA is more important now than ever.

COVID-19 Brings Increased Risk of Cyber Attacks
Cybersecurity, HIPAA

COVID-19 Brings Increased Risk of Cyber Attacks

March 19, 2020 Comments Off on COVID-19 Brings Increased Risk of Cyber Attacks

March 19, 2020 The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice. The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take: Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes:   Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.

COVID-19 Updates to HIPAA & Telehealth
HIPAA, Legislation

Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Comments Off on Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations. “We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”  Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency.  This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include: Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include: While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you.  Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.  

What to do after a HIPAA Breach
Best Practices, HIPAA

Your Practice May Have Experienced a HIPAA Breach – Now What?

March 10, 2020 Comments Off on Your Practice May Have Experienced a HIPAA Breach – Now What?

March 10, 2020 Whether you have recently experienced a breach or are just preparing for the worst, it’s important to know what you need to assess in the event that your practice is faced with a HIPAA incident. Any time your Protected Health Information (PHI) is exposed, whether maliciously or accidentally, your practice may be facing serious fines for a HIPAA violation. The first step is knowing what exactly is considered a breach of PHI.  As defined by the U.S. Department of Health and Human Services, a HIPAA breach is the “impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” This definition is broad and leaves practices to determine if a breach has occurred. If you believe you may have been breached, the next step is to assess your specific level of risk using the following factors:  In any instance where unsecured PHI is involved, properly assessing the level of risk associated with your practice’s potential data breach is an essential first step. Your next steps are reporting the breach and notifying the right individuals as specified by HIPAA. In addition, the number of affected persons, your state’s individual reporting requirements, the types of PHI, and the likelihood the PHI exposed will be used for malicious intent will influence the best way to address the breach. All practices, before a breach ever occurs, should have a Breach Notification Policy in place that will outline the proper reporting steps that must be followed. Like all HIPAA policies, the policy should also include any state-specific breach notification laws that might supersede Federal requirements. It’s important to note that analyzing your HIPAA program shouldn’t only be done after a breach has already occurred. Practices should assess their level of HIPAA compliance regularly and complete the mandatory annual Security Risk Analysis in order to determine areas that could be breached in the future. This not only sheds light on often overlooked risks, such as outdated computer programs or missing policies for regulating access but in the circumstance that your practice does experience a breach you are better equipped to identify and mitigate the issue. In fact, if you experience a breach and have not completed the required Security Risk Analysis beforehand, the likelihood that your practice will be hit with a HIPAA fine goes up dramatically – almost all HIPAA fines levied by the OCR are in part the result of a missing risk analysis.  Updating and maintaining your practice-specific Security Risk Analysis and policies on a regular basis may seem daunting, but software solutions (like Abyde!) help streamline and automate this process to simplify your compliance program.

Are you prepared for OSHA's Workplace Violence Prevention requirements? Learn what you need to do to be compliant.

DOWNLOAD CHECKLIST
X