March 1, 2024 Handling the complexities of HIPAA regulations can feel like walking a tightrope for healthcare providers. Every interaction with Protected Health Information (PHI) – from creation to disposal – carries potential risk. Fortunately, they’re not alone. Shredding companies, step into the crucial role of Business Associates (BAs), becoming vital partners in ensuring HIPAA compliance. When Disposal Companies Wear the BA Hat: Not all disposal companies fall under the BA umbrella. The key factor hinges on access and interaction with PHI. If a company directly receives, handles, or disposes of PHI on behalf of a covered entity like a hospital or clinic, they automatically become BAs. This means they’re bound to HIPAA legislation, becoming directly liable for the protection of patients’ data. Why Shredding BAs are Essential for HIPAA Compliance: Beyond just disposing of paper, disposal BAs bring critical expertise to the table: Paper-Thin Excuses: The Consequences of Improper Disposal The consequences of improper disposal of PHI can be severe. For instance, the New England Dermatology and Laser Center was fined over $300,000 due to improper disposal of PHI, and having health information in a garbage bin in their parking lot. Data security isn’t a solo act. Recognizing disposal BAs as active partners in the HIPAA compliance journey strengthens the entire healthcare ecosystem. By choosing trusted BAs and fostering open communication, covered entities can leverage their expertise and navigate the ever-evolving regulatory landscape with greater confidence. For Business Associates, being compliant is beyond good business practices, it’s upholding your commitment to patients’ data. Abyde’s newest software, HIPAA for Business Associates is here to simplify compliance for your organization. Abyde’s software includes training, security risk analysis, a BA and CE portal, and many more resources to assist your organization. To learn more about compliance for your organization, email info@abyde.com and schedule a demo today here.
Make the Most of Your Extra Day: The First Step of Compliance
February 29, 2024 Happy Leap Day! With the extra 24 hours, what do you plan to do? First, if you haven’t, remember to report your small breaches to the OCR today, but what else? I know you might say do nothing and sit on the couch later, and while that sounds great, we have some better ideas for you. We at Abyde believe in self-improvement and betterment, appreciating every day and making an impact. This once-in-every-four-year occasion is an opportunity to do something new and start a task you’ve been putting off. For many, this could be compliance. Compliance software is key, knowing your practice is prepared if used correctly. Investing in compliance software is a small cost compared to how expensive violations can be, with the smallest HIPAA fines costing $137 and the least expensive OSHA fines costing $1190. While perfect compliance can’t be achieved in one day (if it could, we wouldn’t be here!), by taking the first step today and using Abyde’s software, compliance is easily within your reach, with us simplifying the process and being with you every step of the way. Compliance is a continuous process, but it requires the first step to build that culture of compliance for your practice or organization. A culture of compliance takes time, training your staff, having all understand the importance of compliance, the precautionary measures that need to be taken to secure Protected Health Information (PHI), and ensuring a safe working environment for all. We at Abyde know how precious your time is, so we offer quick 15 to 20-minute demos and consultations. Additionally, Abyde prides itself on how we make the compliance process efficient and fun. Complete the once daunting Security Risk Analysis, or SRA, in minutes with our intuitive and simple questions. Drastically cut down on time with our dynamically generated Policies & Procedures, having custom documentation created for you in seconds. Learn from our numerous resources in the software on what it means to be compliant. If you have any questions, experience white-glove service from our team of compliance experts, only a short call or message away. While an extra day might feel insignificant, all it takes is that first step on the journey to compliance. We hope you enjoy your extra day, and make that first step by scheduling a short demo or consultation (Business Associates, click here, please!) with our experts today. If you still have questions, email us at info@abyde.com, or call 1.800.594.0883.
What You Need to Know: Major Changes to 42 CFR Part 2
February 28, 2024 For practices offering treatment for a substance use disorder (SUD), some major compliance changes have been rolled out. The Substance Abuse and Mental Health Services Administration, or the much easier-to-remember SAMHSA, and the Office of Civil Rights, or OCR, have announced changes to 42 CFR Part 2. 42 CFR Part 2 is a document that rules how substance use disorder patient records need to be handled. Some major changes include: One OK: A single consent is valid for all future uses, forgoing repeated permissions and simplifying the process for your practice. Sharing with Care: Information about a patient can be shared with public health authorities without specific consent. However, the documents need to be revised to make the patient anonymous. Enforcement Streamlined: Previously, 42 CFR Part 2 had separate penalties. Now, it adopts the same civil and criminal enforcement as HIPAA violations, ensuring consistency and clear expectations. Breach Notification and Patient Notice: Will follow the same Breach Notification Rule and Patient Notice of Privacy Practices as standard HIPAA requirements. Safe Harbor: The Safe Harbor rule in the 42 CFR Part 2 creates a limit on the liabilities investigative agencies that follow proper procedures can face. So, simply put, if an investigative agency has accessed protected health information about someone in substance abuse treatment by following the proper procedures, they will be protected. What this means for your Practice If you work for a practice that offers treatment for substance use disorder, knowing the changes to this legislation is imperative. With Abyde, we’re here for you to simplify compliance, with our revolutionary software keeping you up to date and accountable. Review your organization’s risks and vulnerabilities with our variety of resources, including our state-of-the-art Security Risk Analysis (SRA) which can be completed in minutes. To learn more about how your practice can be compliant, email us at info@abyde.com and schedule a consultation today.
Change Healthcare Breach: A Long Road Ahead
April 26, 2024 It’s Friday! It’s time to unwind and not think about work for a few days… except for the Change Healthcare breach, that party’s not over. Let’s get you caught up. As we’ve kept you updated with the latest updates in the Change Healthcare Breach on the blog and our social media with our This Week in Compliance (TWIC) series, there have been some significant updates in this compliance catastrophe. Accompanied by our This Week in Compliance (TWIC) video, let’s dive into the latest on Change Healthcare breach. Double Trouble Sometimes, two isn’t better than one. Change Healthcare received a double scoop of trouble, and, unlike a sundae with delicious hot fudge, this came with two servings of ransom demands! Change Healthcare is no stranger to ransom demands, paying $22 million in Bitcoin to the BlackCat hacking group. This is just the beginning of the story. Another hacking group, RansomHub, announced they had several terabytes of Protected Health Information (PHI). For some perspective, here’s a simple explanation. A terabyte contains over 5 million document pages! Think about how many patients a leak of that information could impact! At first, there was skepticism about whether these RansomHub bullies truly had access to the information, bluffing for a ransom payment. Unfortunately, RansomHub does have this PHI, sharing over 20 victims’ health information to prove a point. While we don’t know how much it is, we’re willing to bet it’s much more than an Abyde subscription. Pretty Penny for PHI This breach is costing the UnitedHealth Group over a billion dollars! These costs impact not only the medical giant but all of the practices and hospitals that rely on the organization to process prescriptions. According to the American Hospital Association, 94% of all hospitals report financial impact, with 33% costing the hospitals more than half of their revenue! In addition to the monetary costs of the attack, the UnitedHealth group has to repair its shattered reputation. The UnitedHealth Group is currently caught in the crosshairs of national-level legal proceedings, with Congress beginning hearings on the attack. Shockingly, UnitedHealth Group was not in attendance, but the CEO, Andrew Witty, is due for an appearance at the beginning of May. What’s next? This breach is a serious reminder that no matter how big, or small, your practice is, data breaches can happen to anyone. It’s important to stay proactive and address your vulnerabilities to protect PHI. As we continue to discover the extent of the attack, even if your practice didn’t cause the breach, Covered Entities must notify affected patients according to the Breach Notification Rule. For our Abyde users, check out the What’s New section for guidance on notifying your patients. The HHS also has a FAQ section on its website regarding the breach. To learn more about how to keep your practice safe, schedule a consultation with a compliance expert here.
Leap into Action: Important Data Breach Reporting Deadline Approaches
February 26, 2024 Happy Leap Year! Now, let’s celebrate the once-in-every-four-years event with the most exhilarating and entertaining activity: notifying the OCR of small breaches your practice faced in 2023. Alright, I’m kidding I’m kidding, while reporting these breaches might not be the most exciting activity, it is very important to notify the OCR of these breaches to ensure proper procedure was followed when things didn’t go as planned. This notification to the OCR is due 60 days after the end of the following year, according to the Breach Notification Rule. So, for 2024, it will be February 29th or Leap Day. So, what is a small breach? You might be asking, what constitutes a small breach? Thankfully, the OCR has specified this for us, and it’s any breach that affects 500 or fewer patients. Anything more than this requires faster reporting, needing to notify the OCR of the breach within 60 days of the discovery of the breach. While smaller breaches don’t need to be reported to the OCR as quickly, patients must be aware of their data being affected in a breach, and patients must be notified within 60 days of the practice finding the breach, or even sooner depending on the state. So, how do I report my small breaches to the OCR? Another great question! Once again, the OCR has a reporting system in place online here. Each small breach has to be reported separately through the website. Abyde makes breach reporting easy, with our HIPAA breach logs, which will allow you to log when you experience a breach in your software. After filling out the breach log, we have a Breach Risk Assessment for you to take, and will then generate a report with all the information you need for the OCR breach report. If you want some help filling out the breach report, you can turn to us, your compliance crew. For Abyde users, call us at 1-800-594-0883 or hit the Help! Alarm button under the gear icon in your Abyde software. We’ll get connected with you immediately and help you navigate the breach. Then, just make sure you notify the OCR by the due date for those smaller breaches! So, what else do I need to do? I’m glad that you’re still interested! Having assigned roles when breaches occur. The reporting of breaches usually falls under the HIPAA Compliance Officer’s list of responsibilities. Having a designated HIPAA Compliance Officer, and in general, having assigned roles in order when a breach or disaster occurs ensures accountability. So, what now? Make sure that you have all of your small breaches reported to the OCR by February 29th, 2024. Abyde is here to make this process easy with our easy-to-use software. To learn more about how Abyde simplifies compliance, reach out to info@abyde.com or schedule a demo here.
Don’t Get Caught Off Guard: HIPAA Audits are Back!
February 23, 2024 They’re Baaaaaack! And in this case, not the poltergeists in the 80s classic, but the Office For Civil Rights (OCR). The OCR shared some significant news, announcing their plans to reintroduce their random HIPAA audits program. The last time this program was in place was in 2016 – 2017, with over 200 Covered Entities and Business Associates audited to ensure HIPAA compliance. Before this program is officially implemented again, the OCR is surveying past audit participants, and hearing their feedback before random audits begin. However, Director of the OCR, Melanie Fontes Rainer, confirmed the audits would resume this year, “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.” The audits revealed eye-opening shortcomings of CEs and BAs, with Paul Hales of Hales Group describing that “86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit”. Thankfully, this news doesn’t have to be like a horror movie if you’re proactive and take compliance seriously. What does this mean for you? While random HIPAA audits might seem very nerve-wracking for your practice or organization, with the proper tools, you can be easily prepared. These audits will help all in healthcare, highlighting the importance of being compliant and keeping patients’ data safe. That’s why Abyde is here to help. Our software simplifies compliance, allowing your practice to focus on what matters most, taking care of patients, or in the case of Business Associates, running your business. To learn more about how you can be prepared for the random OCR HIPAA audits, email us at info@abyde.com or schedule a compliance consultation below. MEDICAL PRACTICES: SCHEDULE CONSULTATION BUSINESS ASSOCIATES: SCHEDULE CONSULTATION
The OCR Cracks Down on Cyber Attack Breaches: Second Ransomware Attack Settled in Four Months
February 22, 2024 Well, the Office of Civil Rights (OCR) did it again. In the past four months, two ransomware cyber attack cases have been settled, resulting in hefty fines, yikes! While the first ruling affected a Business Associate with a major fine, this breach impacted a Covered Entity. In February 2019, Green Ridge Behavioral Health in Maryland filed a breach report that all of their files on patients were encrypted with ransomware, resulting in over 14,000 patients’ data being compromised. That’s a lot of people! As the name suggests, ransomware is a cybercrime where data is held for ransom. Users are unable to access data/files till the ransom is paid. It is a malicious crime that is extremely prevalent in healthcare, with a 264% increase over the past five years in large breaches reported to the OCR. In their investigation, the OCR found potential violations of the HIPAA Privacy and Security Rules from before and right up until the breach. In their variety of violations, some other major misses included: As a result, Green Ridge Behavioral Health was fined $40,000 and will now be monitored by the OCR for the next three years. That’s a long time and a lot of money for a practice that could have avoided this situation with the right compliance solution. That’s where Abyde steps in. Cyber attacks are unfortunately common in healthcare, accounting for 79% of the large breaches reported to OCR. We’ve now seen a pattern of the OCR ruling on ransomware cases, cracking down on practices and organizations that are not prepared for a cyber attack. The OCR is not messing around, and these fines are a clear example. Thankfully, with Abyde, we make the journey to compliance simple. The Abyde software resolves many of the reasons why practices and organizations get fined. You can complete our intuitive Security Risk Analysis in minutes, being able to see what your practice needs to do to be compliant in a flash. Abyde also has engaging training, with interactive activities and videos, all with entertaining themes, to keep the user interested (yes, you read that right). We also have a portal that allows you to easily manage all of your agreements with Business Associates, digitally signing and storing them in the software. What’s the cherry on top? We will remind you when these agreements are close to expiring, being your compliance crew so you can focus on running your practice. We have a variety of resources for practices of any size to use, like dynamically generated policies and procedures, allowing you to finally ditch the dusty HIPAA binder, HIPAA logs, our team of friendly compliance experts is always a call (or message!) away, and much more. Why wait for a compliance disaster? Email us at info@abyde.com and schedule a demo of our revolutionary software here.
Not Just Delivering Packages: Medical Couriers’ Role in Protecting PHI
February 21, 2024 While doctors, nurses, and researchers often take center stage in healthcare, there’s another critical group working tirelessly behind the scenes: medical couriers. These are the logistics ninjas, the delivery defenders, who ensure vital medical supplies, specimens, and documents reach the right place at the right time. Medical couriers go far beyond simply transporting packages. They handle protected health information (PHI) in various forms, making them subject to HIPAA compliance alongside healthcare providers and health plans. This means they share the responsibility of safeguarding patient privacy and security. Key Responsibilities in Compliance: HIPAA Compliance: A Shared Responsibility Healthcare providers rely on Business Associate Agreements (BAAs) to establish clear expectations and obligations for couriers regarding HIPAA compliance. These agreements outline: The Impact of Compliance: Effective HIPAA compliance by medical couriers benefits everyone: The Future of Couriers and Compliance The future of medical courier services might involve drones and autonomous vehicles for faster deliveries. However, the core responsibilities – data security, adherence to regulations, and understanding the impact on patient privacy – will remain central to their role as HIPAA business associates. Medical couriers are no longer just delivery personnel; they are crucial partners in ensuring healthcare compliance and safeguarding patient privacy. By understanding their critical role and responsibilities, we can appreciate their impact on a healthier and more secure healthcare system. For medical couriers and Business Associates in general, Abyde is your compliance solution. With our newest software, HIPAA for Business Associates, BAs can manage compliance with ease. HIPAA for BAs includes a robust security risk analysis, training for BAs, automated policies and procedures, dynamically generated Business Associate Agreements for Covered Entities and Sub-Business Associates, and much more. To learn more, email hipaa-ba@abyde.com and schedule an educational consultation here.
Social Media & HIPAA: Compliant Social Media Tips for Your Practice
February 15, 2024 Picture this: you’re a doctor, feeling proud after helping a patient overcome a challenge. You snap a selfie with them, post it on your clinic’s Instagram, and bam! Instant HIPAA violation. We’ve seen how social media is about more than just staying connected with friends and family. It’s become a powerful tool for reaching new audiences and having meaningful interactions with other users. If used correctly, social media can be an awesome tool to educate and share the resources your practice provides easily to patients. However, it is important to use social media wisely and know how crucial it is to protect patient information. Social media can be a slippery slope to HIPAA violations if misused. That’s why we’re here today to share with you the best tips and practices for your social media. The Less Information, The Better Double Check Before Posting Have Media Consent Forms Signed While your journey to be famous online might not be as easy as cute cat videos, by prioritizing HIPAA compliance on social media, you can confidently utilize technology to engage with audiences without compromising their privacy. Social media can be complicated, but compliance doesn’t have to be with Abyde. Abyde offers a thorough security risk analysis that dives into not only social media use but all facets of your practice. Abyde also has interactive training, policies and procedures, forms, and more, for your practice to utilize. To learn more about simplifying compliance for your practice, email us at info@abyde.com and schedule a demo here.
Safeguarding Your Practice: A Comprehensive Approach to Cybersecurity
February 12, 2024 The following blog was co-written with Abyde’s partner, Carrie Millar at Dentist Insurance Services. If you would like more information on Dental Insurance Services, please click here to visit their website. In an era where technology plays a pivotal role in healthcare practices, ensuring the security of sensitive patient information is paramount. Cybersecurity threats pose a significant risk to medical practices, and adopting a multi-faceted approach is crucial to safeguard against potential breaches. This article explores the three key components to cyber safeguarding your practice: Strong IT for prevention, a Formal HIPAA compliance program, and Cyber Liability Insurance. 1. Strong IT for Prevention The foundation of any robust cybersecurity strategy is a well-built IT infrastructure. Prevention is the first line of defense against cyber threats. Implementing strong IT measures involves securing networks, regularly updating software and systems, and employing robust firewalls and antivirus solutions. Encryption of sensitive data both in transit and at rest adds an extra layer of protection. Regularly monitoring network activity and promptly addressing any anomalies can help identify potential security breaches early on. Employee training on cybersecurity best practices is equally essential, as human error remains a significant factor in cyber incidents. By investing in strong IT measures, practices can significantly reduce the risk of unauthorized access and data breaches. 2. A Formal HIPAA Compliance Program Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is mandatory for healthcare providers, and it forms a critical aspect of cybersecurity. HIPAA compliance programs, such as Abyde (www.abyde.com), provide a structured framework for ensuring that your practice adheres to the stringent regulations in place. These programs offer comprehensive training for employees, covering topics such as data handling, password management, and recognizing potential phishing attempts. Regular audits and assessments help identify areas of improvement and ensure ongoing compliance. By instilling a culture of compliance within your practice, you not only protect patient information but also mitigate the risk of legal consequences associated with HIPAA violations. 3. Cyber Liability Insurance While prevention and compliance measures significantly reduce the likelihood of a cyber incident, it is crucial to acknowledge that no system is entirely impervious to attacks. Cyber Liability Insurance acts as a safety net in the event of a security breach, providing financial assistance to cover the costs associated with the aftermath. Make sure your comprehensive cyber liability insurance policy includes business income coverage, forensic investigation costs, public relations costs, as well as third-party liability. A great example of this is the Coalition Insurance policy sold by insurance broker Healthcare Professional Insurance Services (www.joinhpis.com) The average cost of a cyber-attack has surged in recent years to almost $400,000 per location and an average of 9 closed business days, making Cyber Liability Insurance an indispensable component of a comprehensive cybersecurity strategy. Having this safety net allows practices to recover more swiftly and continue providing uninterrupted services to patients.