ABYDE FOR NORTH CAROLINA MEDICAL SOCIETY MEMBERS

It's time for stress-free compliance.

Request a demo
  • EASIEST SOFTWARE YOU’LL EVER USE

    And if we’re being honest, easy is an understatement. All companies say it, but we are so confident in the simplicity of our software that we will prove it.

  • ‘HANDS OFF’ APPROACH

    We automate it all – from notifications about training to policy generation. Can you imagine not having to set your own reminders?! Go ahead, focus on your patients – we will ping you with the important stuff.

  • CUSTOMER SUCCESS TEAM LIKE NO OTHER

    We will meet you where you are – whether that’s by phone, chat, or email. It’s tough stuff in the tech space, but our customers love us as much as we love them.

  • STATE BY STATE, LAW BY LAW

    No matter what state your practice is in, our solution is for you — from sea to shining sea. We know our stuff and dedicate ourselves to staying on top of the latest state and federal changes so you don’t have to.

  • MORE THAN JUST SOFTWARE

    With us, you get more than policies and software. We offer Master Classes, newsletters, and more to keep you up to date. At the end of the day, we are proud to lead with education.

"The toughest part of HIPAA is complying with the rules. Abyde’s step by step system removes the complexity and therefore the worry of complying with the rules. Plus, Abyde reminds me to stay up to date, keeping me in continual compliance!"
Dr. Robert Bass
"The ease of the Risk Assessment is definitely my favorite. Abyde is very good at keeping us on track. The training programs are great as well."
Brenda Anderson
"I love how Abyde continually sends notifications to update information so we can stay current with all compliance issues. Above all, you will not find a more economical choice that provides all of the resources needed for compliance in your medical practice."
Amy Rogers
Previous
Next

LATEST COMPLIANCE NEWS

Decoding HIPAA Investigation Letters

Decoding the HIPAA Investigation Letter: What to Expect and How to Respond

February 17, 2025 Welcome to the second installment of Abyde’s HIPAA Investigation Survival Series. We’ve reviewed the initial breach, which usually sparks an investigation. Still, the actual start of an investigation is when a practice receives an official investigation letter. The investigation letter is usually sent by mail to a practice. However, depending on what information the Office for Civil Rights (OCR) has, this letter could also be sent by email. Knowing how to read and understand a HIPAA investigation letter is vital to the success of your practice. What’s in an Investigation Letter? A HIPAA investigation letter might be overwhelming to receive at first, but it’s important to keep calm. Getting a letter doesn’t necessarily mean you’ll be fined. It is solely a data request from the OCR if you can prove your due diligence in protecting patient data. An investigation letter begins with official letterhead from the Department of Health & Human Services—OCR. It will also provide an OCR Transaction Number, which will be used in all communications regarding this situation. This letter will also include the contact information for the OCR investigator assigned to your case. The letter will begin with the current information presented. For example, if the OCR receives a breach report about a stolen device, it will be mentioned alongside potentially violated HIPAA legislation due to that breach. The first part of the letter sets the scene for what the OCR currently has information about. The second part of the letter is the data request form. In addition to the information previously shared in a breach report (or what was provided by a patient complaint), the OCR requires more information about your current practices regarding securing Protected Health Information (PHI). As stated in the previous installment of this series, sometimes breaches happen, no matter how many precautions your practice takes. Your practice being breached is not the reason for a fine, but your practice’s inability to showcase adequate safeguards in place is. The OCR can and will ask thorough questions. The data request will ask you to provide proof of the compliance standards you have in place. Common questions include proof of an up-to-date and accurate location-specific Security Risk Analysis (SRA), what safeguards you have in place (encryption, antivirus, access logs, etc.), and training completed by staff. These questions all depend on the situation, but overall, they will ask about preventative measures taken, how the situation was handled, and what your practice is currently doing to avoid a similar breach. After the initial questions, the OCR will provide instructions on correctly submitting documentation. The documentation can be sent electronically (and must be encrypted if there’s any PHI) or through mail to the investigator. The letter then concludes with potential enforcement. Potential enforcement includes monetary fines, government monitoring, and, depending on the severity of the violation, criminal time. What’s Next? Upon receiving the letter, it’s time to gather documentation. The timeline documentation that needs to be received is also included in the initial letter. Most often, documentation must be returned to the investigator within 30 days of receiving the letter. Following the initial submission, more documentation might also be requested, so it’s vital to answer the questions thoroughly and provide as much information as possible. Due to how serious a HIPAA investigation is, it’s important to outsource HIPAA compliance for your practice. By having a third party assist in your compliance program, like a smart software solution, you can also be provided a team of compliance experts for support throughout an investigation. By working with a team, their experience is vital to navigate an investigation. To learn more about getting compliant for your practice, schedule a consultation with one of our experts today. To visit our first installment of this series, which is focused on the breach, please visit here.

Read More »
How to Mitigate a HIPAA Breach

Is Your Practice Prepared for a HIPAA Breach?

February 10, 2025  Welcome to Abyde’s HIPAA Investigation Survival Series. HIPAA investigations can last for years, making it one of the most stressful experiences a practice can endure. It’s vital your practice understands the investigation process. The first step of the HIPAA investigation is the breach itself. Experiencing a data breach is pretty common in healthcare and can affect organizations of all sizes. For example, the Change Healthcare breach, a subsidiary of UnitedHealthcare, exposed at least 100 million patients’ data. While they might be common, it’s still your practice’s responsibility that the proper precautions are put in place to mitigate risks. What is a Breach? A breach is any impermissible disclosure of Protected Health Information (PHI) without authorization. PHI is data that can individually identify a patient, including information like Social Security numbers, birth dates, medical records, and more. Healthcare faces significant data breaches due to various threats, including stolen computers and unauthorized access. However, the largest threat by far comes from ransomware and cybercrimes. Ransomware reports to the Office for Civil Rights have increased 264% in the last five years. Ransomware can infect systems through several channels, like email. Successful phishing attempts are the most common way malicious actors hack healthcare systems. That’s why it’s imperative to provide proactive training to staff, ensuring they are aware of common phishing scams and how to handle spam emails when they arrive, such as forwarding them to IT or immediately sending them to spam. If my practice is breached, what do I do? If your practice is breached, handling the situation calmly is important. Time is of the essence when it comes to HIPAA breaches, with every second pivotal for a hacker to leak more information. When becoming aware of a HIPAA breach, your practice must take the infected device offline and review the scope of the hack. In situations like these, Based on the size of your organization, it’s important to have an in-house or outsourced IT team to navigate you through the technical process. A breach report needs to be filed as well. This can depend on the size of the breach, with breaches impacting less than 500 needing to be filed within 60 days from the end of the year and large breaches, or 500+, needing to be reported to the OCR within 60 days of discovering the breach. This report needs to be filed here. The state where a breach occurs is a crucial factor, as some states have stricter requirements, including shorter timelines. In either situation, affected patients need to be notified. Under the Breach Notification Rule, patients must be notified within 60 days of discovering the breach. For large breaches, media notice is required, usually in the form of a press release, to ensure impacted patients are aware their health information was put at risk. Once again, depending on the state, different parties, like the State Attorney, need to be notified. What’s Next? The OCR may investigate your practice to ensure you had the proper protocols in place before and if the response after a breach is sufficient. This investigation would take place after breach recovery efforts are completed, such as restoring systems and notifying the necessary parties. A common misconception is a HIPAA fine is due to a cyber attack. Sometimes, breaches occur no matter how many safeguards you have in place. Fines are levied on practices that did not take the proper precautions before an event, such as training staff, having antivirus software, or having a Security Risk Analysis (SRA) in place. The fine is not due to the breach itself, but it triggers an investigation, where fines can be levied for lack of preventative measures. During an investigation, the government looks to see that your practice has taken steps to mitigate and prevent cybersecurity issues before they escalate into a breach. That’s why it’s imperative to implement protective measures for your practice before a breach occurs. Getting compliant can be overwhelming, but with the right tools, you can easily streamline your HIPAA program. Smart software solutions can serve as a comprehensive compliance hub, allowing you to see your practice’s vulnerabilities and offer steps to fix them. To learn more about HIPAA compliance for your practice, meet with a compliance expert today. Read the second installment of the series, focused on the HIPAA Investigation letter here. 

Read More »
Read more

READY TO BE STRESS-FREE?

schedule a demo