HIPAA

UnitedHealth Group in the Hot Seat
Cybersecurity, HIPAA

UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Comments Off on UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Over the last several months, your friends at Abyde have kept you updated on the latest in the Change Healthcare Breach.  Since February 21st, this breach has held the healthcare industry captive, likely the most significant healthcare data breach in the United States ever.  Change Healthcare, nestled under the UnitedHealth Group umbrella, processes about 50% of U.S. medical claims, is still picking up the pieces. If you work in healthcare, you feel the sting of the attack. Almost all hospitals reported financial damages because of the attack.  So, how did we get here?  You’re getting answers, as CEO of UnitedHealth Group, Andrew Witty, is set to testify in front of two congressional panels today.  Don’t worry, we’re not going in blind! While Witty might be on center stage today, a written testimony has already been released. Stay tuned because we’re decoding this testimony and answering your burning questions.  Pack your bags! We’re taking a quick trip to the Capitol! Party Crashers This compliance catastrophe began on February 21st, with the BlackCat hacking group infecting Change Healthcare’s systems with ransomware.  However, the team of malicious hackers had been plotting for over a week, being in Change Healthcare’s systems for nine days before the attack.  How did they get in?  It wasn’t a Mission Impossible stunt, avoiding lasers and jumping between buildings, but a simple case of compromised credentials.  Using a stolen login, the black-hat hackers could log into a Change Healthcare application portal and remotely access desktops. This portal didn’t have a standard security protocol: multi-factor authentication. Multi-factor authentication (MFA), like a code sent to your phone before logging in, is a typical security standard for protecting sensitive data. Implementing technical safeguards, like MFA, falls under the HIPAA Security Rule.  Mopping up the Mess While Change Healthcare is no stranger to hacking attempts – thwarting 450,000 intrusions a year – once the ransomware was identified, Change Healthcare sprung into action. According to Witty, the Change Healthcare team immediately severed connectivity with the data centers to avoid the spread of ransom.  Change Healthcare started from the bottom up, rebuilding the foundation of its technology infrastructure, replacing thousands of laptops, implementing new credentials, and new servers with the help of Tech powerhouses like Amazon and Google.  As of today, the ransomware only impacted Change Healthcare and none of UnitedHealth Group’s other organizations.  Witty also admitted to meeting ransom demands, saying it was one of the toughest decisions he’s ever had to make.  What’s Next?  These uninvited party crashers have put the UnitedHealth Group in hot water. These congressional hearings are just the tip of the iceberg for the medical titan.  Here at Abyde, we’re keeping a close eye on things, and you can bet we’ll keep you in the loop through our blogs and social media on the latest in these hearings.  Want to stay on top of all things compliance? Follow us and watch for our This Week in Compliance series – it’s your one-stop shop for compliance info!

HIPAA Compliant Marketing
Best Practices, HIPAA

Can You Post That?: The Secret to HIPAA Compliant Marketing

April 30, 2024 Comments Off on Can You Post That?: The Secret to HIPAA Compliant Marketing

April 30, 2024 Going viral in healthcare has a much more serious meaning than in marketing. Marketing in healthcare is essential. You want more people to know about your practice.  Like everything, the internet has revolutionized how patients look for a healthcare provider.  The internet is most people’s first introduction to your practice, with 75% of prospective patients first searching online for a healthcare provider.  Marketing and healthcare might seem like oil and water, especially when you throw HIPAA in the mix, but we promise you can do both, just with some rules.  Ready to take your patient engagement to the next level? Here are some tips and tricks when it comes to marketing your practice and being HIPAA compliant.  Tracking Tips One of the most common forms of marketing is online tracking tools.  Have you ever searched for something online and seen an ad on another website? For example, while falling down the rabbit hole of watching cat videos, you go to another site. Suddenly, BAM! Cat toy ads on every other site. While we aren’t complaining about seeing more cute cats, this isn’t a coincidence. It’s just tracking tools at play.  Almost every site you visit is trackable, with 90% of sites online having at least one tracking script installed.  Online tracking tools have been in recent healthcare compliance news, with the OCR releasing new HIPAA-compliant guidance.  Online tracking tiptoes into non-compliant territory, but installing software on suitable sites can be beneficial.  First, when working with a marketing company and installing this tracking software, ensure a Business Associate Agreement (BAA) is signed. A BAA outlines the responsibilities of each party, in this case, your practice and a marketing company, when handling Protected Health Information (PHI). These agreements ensure that both parties are on the same page, are liable, and know the importance of protecting patient data.  First, HIPAA does not apply to unauthenticated public sites like your practice’s homepage. Once patients are logging in, that’s when HIPAA comes into play. The information tracked must be the minimum necessary, and overall, can’t relate to the past, present, or future health, health care, or payment for health care.  Following the proper protocols helps avoid fines and keeps your practice running smoothly. Back in January, the NewYork-Presbyterian Hospital was fined $300,000 due to improper tracking practices.  Social Media Guru We’re not expecting you to become TikTok famous, but social media can be helpful in your practice. 74% of people online use social media, and nearly half have used it to learn more about a doctor or health professional for their care.  A social media page can be like a welcoming front door for patients. So, if you’re using it, make sure it’s HIPAA-compliant and shines a light on your fantastic practice!  When posting on social media, ensure PHI or patients who still need to sign a media consent form are visible.  While we know you might be excited about a patient’s new smile before and after braces, without consent, you might not be so happy with the fines. In Abyde’s software, we feature a media consent form, helping to keep your practice complaint.  Raving Reviews  Now, we’ve all read Google reviews. Whether it be the new Mexican restaurant up the street or your new general practitioner, we rely on others’ experiences when making a decision. Over 70% of patients trust Google reviews when searching for a new healthcare provider.  When responding to reviews, it’s essential to follow the simple rule: less is more. You can reply to reviews; make sure that identifiable information about a patient isn’t shared. For instance, even if it’s a lovely review, sharing a patient’s treatment online is unnecessary.  It’s essential to keep your cool when responding to these messages.  If it is a negative review, take it offline! Offer secure forms of contact for a patient, addressing their needs in a HIPAA-compliant manner. We’ve seen the repercussions of a Google review HIPAA violation. Manasa Health Center LLC was fined $30,000 for sharing PHI online in response to negative reviews. Even if the negative reviews were hurtful, we’re safe to say it probably wasn’t worth that much!  What’s Next?  We all know social media can be a game-changer for your practice, boosting patient numbers and engagement. But with great power comes great responsibility.  That’s where Abyde swoops in – streamlining compliance for your practice. Abyde simplifies compliance, and with features like the intuitive Security Risk Analysis, you’ll have all the tips and tools you need to ensure you’re compliant. So, get back to posting (safely)!  To learn more about compliance for your practice, schedule an educational consultation with one of our experts today! 

The Brief History of HIPAA
HIPAA, Legislation

The Brief History of HIPAA: How We Got Here and Why it Matters

April 29, 2024 Comments Off on The Brief History of HIPAA: How We Got Here and Why it Matters

April 29, 2024 At Abyde, it’s clear that we eat, live, and breathe HIPAA. Let’s take a trip down memory lane as we start this new week.  HIPAA has become a staple in championing patient’s rights, but how did we get here?  Gather your compass and maps because it’s time to set sail on a compliance cruise because we’re exploring the beginnings of HIPAA.  Blast to the Past: The Beginnings of HIPAA  We’re going back in our time machine to the 90s. The digital revolution was starting in a time of grunge and oversized flannels. From trading cassettes for shiny CDs to the sweet, sweet sound of screeching dialup, the 90s were defined by innovation. As we were (slowly) getting connected online, so were Covered Entities (CE). As the internet became more common, so did ePHI, or electronic Protected Health Information. Health information went digital, so it was time for some federal rules. Enter HIPAA!  HIPAA, or the Health Insurance Portability & Accountability Act, was signed into law on August 21, 1996, by Bill Clinton.  HIPAA, or the Kennedy Kassebaum Act, provides the privacy and rights of patients’ data. But hold onto your hats! This was only the beginning of HIPAA legislation.  The Privacy Rule: Keeping it Quiet Coming into effect in April of ’03, the Privacy Rule established the standards to protect the privacy of PHI, limiting how PHI is shared. This rule boils down to sharing the bare minimum information.   In this, the Minimum Necessary standard is put in place. The Privacy Rule requires that only essential and necessary information is shared regarding taking care of a patient. There are some times when this standard doesn’t apply, including:  The Privacy Rule also establishes the Right to Access, giving patients power over their medical records.  This lets patients get their medical records fast!  The Right of Access, under the Privacy Rule, usually requires patients to receive their medical records within 30 days. Some states are even quicker!  The Security Rule: Keeping it Secure Not too long after, the HIPAA Security Rule came into play in April 2005. The Security Rule establishes how the ePHI needs to be protected. This rule sets the standards for all the safeguards to keep patients’ information safe. The categories of safeguards are:  The Breach Notification Rule: Keeping it Transparent Fast forward a few years, and HIPAA throws another punch for patient privacy – the Breach Notification Rule!  This one landed in September 2009; however,  the government was still figuring out the rollout of HIPAA enforcement between the Security and the Breach Notification rules.  Monetary penalty enforcement officially began in 2006, but a significant piece still needed to be added to protecting patient data.  With all this data protection, patients needed to know if something went wrong, right?  That’s where the Breach Notification Rule kicks in. The Breach Notification Rule defines what a small (>500) and significant (<500) breach is and how patients need to be notified when their information is compromised. Patients deserve to understand the scope of what’s going on with their data! The notification should explain the breach, what information was potentially exposed, and how individuals can protect themselves. For the OCR, it all depends on how many people were affected.  So, even though a BA might not be working with a patient, the business still has to keep their PHI under lockdown!  Omnibus Rule: Keeping it Clear Fast forward to 2013. The final HIPAA Omnibus Rule was created to clarify further and strengthen HIPAA regulations. Some of the new updates included:  What’s next?  Over the last 30 years, the HHS has updated best practices under HIPAA, ensuring patient data is appropriately secure as innovations arise.  Some of the latest guidance released includes marketing tracking tips and significant changes to 42 CFR Part 2.  Want to make sure you’re up to date on the latest of all things HIPAA? See the latest on our blog and social media!     

Improper Access of PHI by Staff
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 Comments Off on Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 It’s hump day! As we get through this middle bump of the week, we’re still rolling our series, Compliance Catastrophes; real-ish world examples of nightmare scenarios!  Today, we’re looking at you, healthcare workers and Business Associates! We know you do amazing work when taking care of patients, but keeping data secure is a part of building an awesome practice or business environment.  When given the keys to keep Protected Health Information (PHI) safe, it doesn’t mean to open the treasure chest of data! When working in this field, you’re around a lot of sensitive information, and it’s vital to uphold your commitment to patients by keeping it confidential!  We know it’s not all healthcare workers or their associates, but more people break this rule than you’d expect.  We’re getting scientific! There was a recent study that highlighted over 400 employees inappropriately accessing PHI at a hospital, and many only stopped accessing unauthorized PHI due to being warned they were caught by email.   It shouldn’t take being caught to change bad behavior! You know the drill – improperly accessing PHI is a breach of trust.  But just to be safe, let’s see an example of what you should not do. Now, joining us today, you guessed it, is our unlucky friend, Catastrophe Cathy.  PHI Peeking Cathy was at the front desk when a familiar face showed up for an appointment. An old friend from high school that she hasn’t seen in years!  They chat for a little bit, and Cathy can’t help but wonder what brought this friend in.  When she’s closing up, she can’t ignore the voice in the back of her head to go look. She falls for the temptation and searches for her friend’s medical information, curious about what brought her old friend into the practice.  As she’s reading about her old friend, another employee notices what she’s doing. Cathy is embarrassed and ashamed, as well as she should be! She was breaching her old friend’s PHI. That information is strictly confidential, no matter how close they used to be.  Real Life: Real FinesYou might think that a situation like this could never happen to you, but it happens often and there are severe consequences.  Last year, the OCR fined Yakima Valley Memorial Hospital in Washington State due to some snooping security guards. Curiosity didn’t kill the cat, but did leave it with a hefty fine! Over 400 patients’ records were looked at and the hospital was charged with a pretty expensive bill: $240,000!  To avoid snooping breaches, make sure all staff are properly trained on their roles and responsibilities. Access controls need to be monitored often, ensuring staff only have access to what pertains to their role. Additionally, make sure logs are reviewed, keeping your eyes open for any suspicious activity.   We all deserve our health information to be secure, and healthcare workers and business associates are at the front lines of keeping it confidential. To learn more about common compliance catastrophes, email us at info@abyde.com and stay tuned for the next in our series on our social media! 

HIPAA Compliance Stolen Devices
Business Associates, Cybersecurity, HIPAA

Compliance Catastrophes: Stolen Devices

April 23, 2024 Comments Off on Compliance Catastrophes: Stolen Devices

April 23, 2024 Welcome back to another blog on Compliance Catastrophes: real-ish world examples of nightmare scenarios! We’re going through the most common reasons for data breaches in healthcare and how your practice or business can stay safe.  Stolen devices in the workplace are one of the main reasons for a breach. According to the OCR, theft accounts for nearly 20% of large breaches (five hundred or more patients affected) over the past ten years.  A stolen device can quickly spiral into a HIPAA nightmare. That’s why devices need top-notch security for the safety of Electronic Protected Health Information (ePHI).  No question, ePHI needs protection. That’s why I’m here to remind you: when you have a device with it, stay alert!  Now, let’s see what happens when someone slips up and neglects their device protection responsibilities.  Let me reintroduce our friend, Compliance Cathy, she’s having a tough week!  Dinner with a Side of Disaster After a long day at the practice, Cathy was ready to get home and see her friends for dinner. When Cathy was at the restaurant, she left her computer bag on her passenger seat, being way more focused on the meal she was going to devour. While her steak was a perfect medium rare, the situation outside was a recipe for disaster!  When Cathy got outside, her night was spoiled. Her car was broken into! She realized immediately what went wrong. Her work laptop was stolen. The worst part, her computer was unencrypted, meaning the thief had easy access to patients’ PHI at the practice!  Device Safety 101  First, if you don’t have to bring home your work laptop, don’t! There’s less liability if the device is stored properly at work.  Even if you leave it at work, make sure it is secure at all times. For instance, at your practice or business, make sure the doors are locked when no one is at work and proper security is installed, like alarms and cameras.  Next, ensure all devices with PHI are properly encrypted. Encryption means sensitive data is unreadable for anyone except those authorized to view the information. Additionally, make sure strong password policies are in place. No more Password 123! Your friends at Abyde recommend that passwords must be at least 8 characters, including a number, an uppercase letter, a lowercase letter, and a symbol. Finally, make sure remote deletion is set up for all devices that have PHI, allowing you to use another device to wipe the stolen or lost device clean.  Keeping it Real Stolen devices are a common compliance catastrophe, and the OCR has enforced fines for non-compliant practices.  Don’t believe us? Here’s a real-life example of a stolen device catastrophe. In 2020, Lifespan ACE, a Rhode Island healthcare system, was fined over a million dollars when an employee’s car was broken into and an encrypted laptop was stolen. We’re not just making this stuff up! If you find yourself in a situation like Cathy’s, immediately alert the authorities of the theft. Contact your workplace and IT department, following company procedures.  See if your practice has remote deletion in place, wiping the stolen device. Your IT partner will likely handle all remote deletion and encryption of sensitive data. Some companies provide these services specifically for healthcare. We’re more than happy to point you in the right direction when it comes to your compliance journey, so just reach out if you’re looking for the right services for your practice or business.  Of course, ensure this breach is logged into your Abyde software and reported to the OCR.  With the right protocols, you can prevent and mitigate a stolen device.  While Cathy’s filet mignon dreams were burnt to a crisp, that doesn’t have to happen to you. To learn more about device safety, email us at info@abyde.com and follow us on social media for the latest news! 

HIPAA Compliance Email Safety
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Email Safety

April 22, 2024 Comments Off on Compliance Catastrophes: Email Safety

April 22, 2024 Good morning! We hope we can cheer up your Monday blues with the announcement of our new educational series, Compliance Catastrophes: real-ish world examples of nightmare scenarios!  Throughout this week, we’ll be releasing blogs and videos on common breaches of Protected Health Information (PHI) in healthcare, giving you the tips you need to stay secure.  We’re starting our series with one of the most common HIPAA breaches: email scams.  Email scams are very prevalent, with 91% of cyberattacks beginning with a phishing email. Phishing attempts are the most common form of cybercrime, with 3.4 BILLION spam emails sent daily.  Now, before we get too far, let’s clear up any misconceptions. Phishing attempts are unfortunately not a Saturday night getaway on a boat with your friends catching fish, it’s much more like casting a lure of fake urgency or importance to try and ‘fish’ for personal information, like PHI. You might think that you could never fall for a phishing scam, but let me tell you, it happens quite often.  Let me introduce you to the star of the week, Catastrophe Cathy.  A One-way Ticket to a Breach Cathy was scrolling through her email, and she couldn’t believe her eyes! Her boss sent her an email offering her a week’s vacation to Italy! All she had to do was claim it by clicking the link listed at the bottom of the email.  She was sold! It looked real; it said it was from her boss, Bob, and it even had his email signature!  As she clicked the link, the malware began to work its nefarious magic – infecting her computer and getting access to PHI.  Her dreams of seeing the Leaning Tower of Pisa came crashing down. Once she realized there was no trip. She panicked! What was she going to do?  Email Safety 101 Now, we can be like Cathy if we aren’t careful when checking our emails!  Falling for these phishing scams affects over 300,000 people a year, yielding over $50 million in losses.  First, an always good rule of thumb: If it’s too good to be true, it’s not. Sorry, or scusa (sorry in Italian) Cathy!  Next, always check who is sending the email. While it looked like it came from Bob the Boss, if she looked at the email address, she would have seen it came from Stevethescammer@email.com! Hackers pretending to be someone else at your organization is a very common practice known as spoofing.  Lastly, if you see any odd links or attachments, never click them, report them as spam, delete them, and, if applicable, forward them to your organization’s phishing email!  Phishing scams have also made a recent detrimental impact on healthcare. The OCR settled its first phishing cyber attack investigation, costing the Lafourche Medical Group $480,000!  Reel in Control Now, if you find yourself falling for an email scam, the first thing you need to do is to alert your team. You might be embarrassed, but it’s brave to admit you’re wrong, ensuring others don’t fall for a similar attack, too.  The most important step right now is to disconnect your device from the internet. Think of it like putting up a “closed for business” sign. This cuts off the hackers’ access and prevents them from finding more information on your network.  Loop in your IT team or IT provider, and follow company procedures for a cyber attack. Of course, notify patients affected by the breach, and report the breach in your Abyde software and to the OCR. Also, since it is a phishing attempt, you can report it to the FTC.  To learn more about common breaches, stay tuned to our blogs and videos this week! Follow us on social media to be the first to see the latest compliance news, and if you have any questions, email us at info@abyde.com. 

HIPAA Security Rule
Cybersecurity, HIPAA, Legislation

The HIPAA Security Rule: What You Need to Know

April 19, 2024 Comments Off on The HIPAA Security Rule: What You Need to Know

April 19, 2024 This week, we’ve gone through what makes HIPAA, well, HIPAA.  HIPAA, or the Health Insurance Portability and Accountability Act of 1996, comprises three rules.  These rules include:  Today, we’re talking about the Security Rule. Trust us, we know that compliance jargon can get complicated. That’s why we’re here to make it simple.  What’s the Security Rule? Let’s kick it back to the totally rad 90s to give more insight.  The year is 1996, and we’re entering the digital age. While we fought with dial-up and AOL was all the rage, more and more Electronic Protected Health Information (ePHI) was being created and transmitted digitally.  HIPAA was signed into law because of this technological boom, needing federal guidance on the protection of health information with each new innovation.  As a result, a part of HIPAA, the Security Rule was born. The Security Rule establishes the standards for how ePHI needs to be protected. This includes the administrative, physical, and technical safeguards to ensure ePHI is secure, remains private, and accurate.  Building a Fortress Administrative safeguards are the first line of defense when it comes to protecting patient data. Administrative safeguards are policies and procedures that your practice or business does to ensure compliance and protection of ePHI.  The Security Risk Analysis (SRA) is a classic example of an administrative safeguard. This proactive measure helps practices and business identify their risks and vulnerabilities when it comes to protecting PHI. The SRA is required under the Security Rule.  Training also falls under administrative safeguards, ensuring all staff is knowledgeable and up-to-date with best practices to remain HIPAA-compliant. Keep it Secure You wouldn’t leave your keys lying around, would you?  The same goes with PHI.  Physical safeguards include a range of measures to secure ePHI.  Common examples of the appropriate physical safeguards include: 
 Tech Talk Now, alongside physical safeguards, technical safeguards are key to keeping ePHI safe.  We hate to break it to you, but a lock isn’t going to protect your ePHI when there’s a hacker across the globe trying to breach your ePHI!  Common examples of technical safeguards include:  Covered Entities and Business Associates can get on track with these proper safeguards by working with your IT department or an IT partner. How Abyde Can Help Phew! Who knew HIPAA could get so complicated?  Well, Abyde is here to save the day, simplifying the compliance process for your organization. Abyde’s software is tailored to fulfill HIPAA regulations, including an intuitive SRA, entertaining training, custom policies and procedures, and more.  The Abyde software is here to make sure you Never Stress Over Compliance Again! If you are looking for an IT partner to assist you in implementing technological safeguards, we can also help with that, too! We have numerous IT partners who specialize in healthcare, knowing what you need to be secure. Reach out to info@abyde.com and call 1.800.594.0883 to find your next IT partner.  To learn more about HIPAA compliance, email info@abyde.com and schedule an educational consultation here for Covered Entities and here for Business Associates. 

HIPAA Privacy Rule
HIPAA, Legislation

The HIPAA Privacy Rule: Ensuring Patient Privacy

April 18, 2024 Comments Off on The HIPAA Privacy Rule: Ensuring Patient Privacy

April 18, 2024 Healthcare records can be pretty personal. That’s why it only makes sense that this Protected Health Information (PHI) needs to be secure, giving patients peace of mind.  That’s where The HIPAA Privacy Rule comes in.  While you already know that a patient’s health information shouldn’t be shared like the latest gossip, you might wonder what this broad rule actually entails.  Let’s uncover it together!  What is the Privacy Rule? The HIPAA Privacy Rule establishes the standards to protect the privacy of PHI, limiting how information can be shared, and setting patients’ rights regarding their PHI.  HIPAA, and all of its rules, need to be followed by Covered Entities and Business Associates (BAs).  Now, let’s break that down.  Keep it Brief Here’s a simple anecdote: When you’re ordering a pizza, you only give them your address and phone number, not your entire life story. Well, that’s similar to this section of the Privacy Rule, but instead of a perfect, extra cheesy pizza, it’s medical information.  Within the Privacy Rule, there is the Minimum Necessary standard. As in the name, this means to only provide the minimum necessary PHI for an intended purpose. Sharing PHI needs to be for the benefit of the patient. ​​This rule ensures healthcare providers only share the essential bits of your health information to get the job done. However, there are a few times when the Minimum Necessary standard does not apply:  By providing limited PHI, you establish trust and confidence with your patient, knowing that their information is secure, and when it’s shared, it’s for an important reason.  Right to Medical Records  As a part of the Privacy Rule, patients have the right to their medical records. This is known as the Right of Access. HIPAA gives patients the key to their medical records.  This requires practices to give medical records to patients in a timely fashion, give patients the option to request to fix errors in the medical records, and copies of their records for free, or at a reasonable cost. While HIPAA considers this ‘timely fashion’ to be within 30 days, some states are even sooner!  The Right of Access rule has been at the root of the past two OCR fines, highlighting the monetary penalty that can come with not providing patients (or authorized caretakers) medical records quickly. How Abyde Can Help Hopefully, we didn’t lose you after that HIPAA rundown! That’s where Abyde can help. Abyde streamlines the compliance process, turning complicated legislation into intuitive software that keeps you in check when it comes to compliance. We even make the process easy. Our plethora of resources will keep you educated and on top of everything compliance. To learn more about what your practice or business needs schedule an educational consultation today. Schedule here for Covered Entities and here for Business Associates.   

HIPAA, Legislation

The Breach Notification Rule: What to Do in Case of a Data Breach

April 17, 2024 Comments Off on The Breach Notification Rule: What to Do in Case of a Data Breach

April 17, 2024 Imagine this: it’s a quiet Wednesday morning at the practice. As you’re watching the clock tick criminally slow to lunch hour, you check your email. It looks like your boss sent you an email!  He wants you to print out the attached file. You absent-mindedly click on the file, and your once quiet morning is completely flipped on its head.  The email was a phishing scam! If you looked a bit harder, you would have noticed it didn’t actually come from your boss, but an unknown suspicious email.  The malware begins to infect your computer, starting to wreak havoc. What are you going to do?  Email phishing scams are a common example of a breach, exposing patient data. Other forms of breaches include: stolen laptops, improper disposal of PHI, and overall, any time unauthorized access to sensitive patient data. Breaches, unfortunately, happen pretty often, affecting millions of patients. In 2023, over 133 MILLION patients’ information was exposed in breaches.  What’s the HIPAA Breach Notification Rule?  Now that we’ve painted a scary picture, let’s talk about what you can do. This is where HIPAA’s Breach Notification Rule comes in. The Breach Notification Rule is one of the pillars of HIPAA and guides Covered Entities (CEs) and Business Associates (BAs) when it comes to breaches. It mandates required information about a breach and how patients need to be notified of their exposed data. What Should I Do?  Well, first, don’t panic! Time is of the essence when it comes to a breach.  Here’s a step-by-step guide on what to do if you suspect a data breach: 1.Contain the Breach: First things first, stop the attack! If dealing with a cyber attack, like an email phishing scheme, disconnect the infected computer immediately, so it can’t spread the nasty virus to other computers on the network. Report the incident to your IT department or IT partner immediately. 2. Investigate the Breach: Time to play a bit of Sherlock Holmes and investigate the attack. What data was accessed or potentially accessed? How many individuals are potentially affected? How did the breach occur?  All of these questions are vital when it comes to reporting this breach and notifying patients. In the Abyde software, we have our breach log, a quick questionnaire for you to organize your investigation.Notification Requirements: Depending on the severity of the breach, notifications may need to be sent to several parties: 3. Notification Requirements: Depending on the severity of the breach, notifications may need to be sent to several parties: 4. Mitigation and Prevention: Well, hopefully, that never happens again! Now, it’s time to take steps to prevent similar breaches in the future. This involves:  How Abyde Can Help Mitigating breaches and protecting patient privacy can be daunting. Abyde can help! We offer a plethora of resources on compliance and data security best practices. As discussed above, Abyde assists with every step of the breach process, from proactively identifying risks and vulnerabilities with the Security Risk Analysis, to training, to breach logs.  Want to learn more about how Abyde can help you Never Stress Over Compliance Again? Email info@abyde.com, and schedule a compliance consultation here and here for Business Associates.   

HIPAA Compliant Phone Calls
Best Practices, Business Associates, HIPAA

1-800-HIPAA: Guide to Compliant Phone Calls

April 12, 2024 Comments Off on 1-800-HIPAA: Guide to Compliant Phone Calls

April 12, 2024 Brrring Brrring Brring! It’s your friends from Abyde calling! Pick up! We have some worthwhile tips and tricks to share with you today.  While we all love a good chat on the phone when working with Protected Health Information (PHI), it’s key to keep things confidential.  That’s why today, pick up our call and learn how your practice can make compliant phone calls. By following our tips, you’ll be a confident phone pro, ready to chat with patients while keeping their privacy a top priority. So, are you ready to answer? Let’s get started! Hello, it’s HIPAA In the digital age, there are numerous ways to connect and share information with patients. Reaching out to patients through the phone is still a common practice, but you need to be able to navigate it safely.  First, ensure your phone systems are HIPAA-compliant before sharing any PHI. This includes end-to-end encryption, user authentication, audit control, automatic log-off, and other strong security features.  When onboarding with a cloud-based phone service, make sure a Business Associate Agreement (BAA) is signed with the provider, ensuring accountability and liability when it comes to the protection of patient data.  Listen, we know you might be itching to chat after your visit –   you genuinely care about our patients and their well-being, but there aren’t a ton of reasons to call a patient.  While HIPAA restricts casual chit-chat, some of the reasons to call a patient include: Additionally, if you are calling a Business Associate (BA), make sure a BAA is signed before communicating any PHI through the phone.  When in Doubt, Leave it Out! When on the phone with a patient or a BA and you’re disclosing PHI, the Minimum Necessary Requirement is at play. As in the name, this standard means only the minimum necessary information about a patient’s health information should be disclosed.  FCC, or the Federal Communications Commission has come out and given guidance on HIPAA-compliant phone calls. Keep it short and sweet! Phone calls should be less than 60 seconds or less than 160 characters in text length.  And, don’t blow up any patient’s phone with calls! The FCC says patients should only receive three calls a week, or one text a day.  To ensure patient privacy and clear communication, keep calls brief and focused.  Before sharing any information, take a moment to verify the patient you are speaking with.  Phoning Family While it’s only normal for a family to worry about a patient’s health, sharing this information is a different story.  Under HIPAA, the patient has to agree for their PHI to be shared with family. Once again, only the minimum information required can be shared.  However, if a patient is incapacitated, PHI can be shared with the family if it’s considered in their best interest. Once a patient is lucid again, the patient can retract permission for PHI to be shared with family.  Dialing Up Patient Trust Phone calls are a common and effective way to quickly share information with patients. Like anything regarding PHI, it’s vital to stay compliant, keeping patient information secure.  By properly handling phone calls at your practice, you’ll strengthen patient trust, improve communication, and reduce compliance risks with the right tools. Abyde can be one of those trusted tools, being a cloud-based solution that streamlines the compliance process. Abyde will assist you in having everything you need to be compliant, keeping you in check and creating a culture of compliance at your practice.  To learn more about what your practice needs to do to be compliant, email info@abyde.com, call us at 1.800.594.0883,  and schedule a consultation here.