Legislation

Privacy Rule HIPAA
HIPAA, Legislation

HIPAA Building Blocks: The Privacy Rule

November 24, 2020 Comments Off on HIPAA Building Blocks: The Privacy Rule

November 24, 2020 Implementing a complete HIPAA program is kind of like assembling a piece of furniture from IKEA – there’s lots of different pieces and little direction when putting it all together. Even if you’re a master IKEA-assembler, HIPAA is a whole extra level of confusion, and breaking it down into the basics can help make things a little less stressful.  The first step in building a complete HIPAA compliance program is to start with the base – the HIPAA Security Rule. Once you have a sturdy foundation made up of all of the proper documentation and required safeguards, it’s onto step number two: otherwise known as the HIPAA Privacy Rule. Many of the nuts and bolts of HIPAA law are built into the HIPAA Privacy Rule, which provides strong privacy protections to safeguard sensitive patient information and ensure patients have proper access to their own medical records. Thanks to the Privacy Rule:    Record access and privacy are the basic goals behind the Privacy Rule, but the second piece of the rule includes an extensive list of ongoing compliance requirements, such as:  Just like opening up that new box from IKEA, taking on a complete HIPAA compliance program can feel overwhelming. However, Privacy Rule complaints continue to roll in to the Office for Civil Rights (OCR) and patient right of access violations have become an increasing point of OCR focus since 2019 – making compliance with the Privacy Rule a top HIPAA priority. Now unless you’re a DIY enthusiast, you might opt for new furniture that doesn’t come in a 1,000 different pieces. Choosing a pre-assembled option instead saves you time, energy, and headaches – and the same can be said of HIPAA.  Choosing a HIPAA compliance software like Abyde lets you fill in a few quick areas to get your program up to speed, instead of having to build each piece from scratch. In less than an hour, and with far less headaches, you can get everything you need to be compliant, and so much more. The best part? There’s no need for an instruction manual – Abyde has real people ready and waiting to help walk you through the process and make sure you aren’t missing any important pieces (like finding that missing screw from step 7 on step 28) along the way. 

21st Century Cures Act
Legislation

The 21st Century Cures Act: What Your Practice Needs to Know

September 24, 2020 Comments Off on The 21st Century Cures Act: What Your Practice Needs to Know

September 24, 2020 Technology is increasingly at the heart of healthcare, and navigating all this new technology, including providing the right electronic access to protected health information (PHI), to the right people, can be headache-inducing. The cure? The recently passed 21st Century Cures Act (see what we did there?) which provides new requirements and guidance around the exchange, access, and use of electronic protected health information (ePHI). The Cures Act’s requirements are set to go into effect on November 2, 2020 – read on for what your practice needs to know before then.  What is the Cures Act, anyway?  A complement to existing HIPAA laws, the Cures Act is designed to further outline how practices and healthcare app providers should be navigating the balance between providing patients access to their ePHI while maintaining their data privacy and security.  In short, it provides patients clear access to their data – in the ways they choose to receive it – while outlining clear requirements for providers and app developers to promote patient access and prevent information blocking all with the right technical safeguards to protect health information. So what’s changed?  The Cures Act does make some specific changes that may affect your healthcare operations, including: What do I need to do about it? The final rule establishes additional policies that supplement existing HIPAA programs. To best comply with these new requirements, your practice should: The biggest takeaway from all this? HIPAA. Doesn’t. Change. All the same safeguards and policies you have in place still apply under the Cures Act – they are just supplemented by new ways to better use patient data and prevent information blocking. These new standards of innovation mean that patients can soon access their medical records on hand (literally) through their app of choice, and will continue to pave the way for HIPAA to interact with advancing technology.  You can read more on the Cures Act by visiting the ONC Cures Act website, or reading through the full Cures Act final rule text (if you do, we would be seriously impressed – but before you read all 320 pages, know that the Abyde team is here to help translate all this legal-ese into something that actually makes, well, sense.)

State Laws vs HIPAA
HIPAA, Legislation

State Laws vs HIPAA – What You Need to Know

June 8, 2020 Comments Off on State Laws vs HIPAA – What You Need to Know

June 8, 2020 When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones.  It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include:  In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other:  Source: healthinfolaw.org As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up. We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you! While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!

HIPAA During COVID-19
HIPAA, Legislation

Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 Comments Off on Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 The Office for Civil Rights (OCR) has been very active this past month, going above and beyond to help mitigate the risk COVID-19 poses to public health privacy. Certain HIPAA regulations were updated in March to allow for health care practices to better work with patients in need of healthcare services as well as providing guidance on how to best disclose PHI without risk of a data breach. In their latest announcement, the Office for Civil Rights has extended the same enforcement discretion to Business Associates. When it comes to Business Associates handling PHI, there are obviously strict limitations to follow for the sake of still maintaining patient privacy. As clearly stated in the recent OCR bulletin, business associates are expected to follow the same guidance provided for health care providers when accessing or disclosing PHI during a public health emergency.  Previously, these disclosure permissions were only allowed if expressly stated within the Business Associate Agreement with the BA’s covered entity. In light of the current situation, there is a greater need to easily provide public health authorities and emergency operation centers with access to COVID-19 related PHI and this bulletin reinforces the Business Associates’ ability to share that information securely. Violations of certain provisions of the HIPAA Privacy Rule will not be imposed during this time, if and only if: While this notice provides business associates with greater flexibility than some Business Associate Agreements allow for, that doesn’t mean that BAAs no longer matter. It should be noted the relaxation of enforcement does not extend to any other requirements under HIPAA law, and business associates will still be held liable for any violations outside of this circumstance – provided of course a BAA is in place.  As a reminder, a Business Associate Agreement allows the covered entity to obtain “satisfactory assurances”  that the business associate will “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” This definition, straight from the HHS website, encompasses the need for BA’s to agree in writing to the same standards the covered entity is held to. A BAA must be completed with any vendor or organization the practice sends or receives any piece of PHI from. Without a proper agreement in place, the liability of this security breach will fall on the healthcare provider.   Contrary to what most might think, HIPAA really is here to help encourage providing access to and sharing of PHI as long as it is done in the right ways and for the right reasons. OCR Director Roger Severino makes this abundantly clear in his statement following the updated bulletin stating, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”  This latest bulletin is just additional proof that HIPAA compliance is of the utmost importance during the COVID-19 public health emergency. All eyes right now are on data being shared between multiple government agencies like the HHS, CDC and even the White House. With secure and efficient access to real-time data, those organizations will be enabled to make educated decisions on how to best interpret and utilize the sensitive data received and, in turn, secure the well being of the public at large. We find it extremely comforting to know that by following the OCR’s recent HIPAA guidance, providers and business associates alike can play their part in stopping the spread of COVID-19.

COVID-19 Updates to HIPAA & Telehealth
HIPAA, Legislation

Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Comments Off on Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations. “We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”  Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency.  This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include: Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include: While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you.  Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.  

HIPAA in Public Health Emergencies
HIPAA, Legislation

How to Handle HIPAA in Public Health Emergencies

February 6, 2020 Comments Off on How to Handle HIPAA in Public Health Emergencies

February 6, 2020 Wondering how your practice needs to handle HIPAA privacy when it comes to public health emergencies, like the recent Novel Coronavirus outbreak? Read the OCR’s tips below! As the Novel Coronavirus (2019-nCoV) outbreak continued to make news, the Office for Civil Rights (OCR) sent a recent bulletin out including additional information for how to handle PHI and how the HIPAA Privacy Rule should be applied with regard to public health emergencies such as this one. Even in public health emergencies, covered entities (as well as business associates) are still expected to adhere to HIPAA regulations and safeguard the security and privacy of their PHI consistent with HIPAA law. Here’s a few key takeaways from the OCR bulletin that your organization should remember: As a reminder, all PHI disclosures even in these circumstances should be limited to the minimum information necessary, including continuing to adhere to role-based access for internal employees. If a public health agency such as the CDC requests information, all requested information should be treated as the minimum necessary for the public health purpose.

Are you prepared to navigate a HIPAA compliance audit? Join experts for a live webinar with real audit scenarios and outcomes.

REGISTER TODAY
X