BA

iHealth Solutions HIPAA Fine
Fines, HIPAA

Firewall Fireworks: iHealth Solutions Wrapped in $75,000 Worth of Red, White, and Blue Compliance Flags

June 28, 2023 Comments Off on Firewall Fireworks: iHealth Solutions Wrapped in $75,000 Worth of Red, White, and Blue Compliance Flags

June 28, 2023 The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has decided to celebrate the 4th of July a bit differently this year. No, they’re not hosting a BBQ or a picnic. Instead, they’ve resolved a blazing inquiry with iHealth Solutions, a Kentucky-based firm providing a whole array of IT services to healthcare providers, including coding, billing, and onsite IT support. Like leaving the fireworks out in the rain before the big show, iHealth Solutions committed a significant faux pas by allowing the protected health information of 267 people to be as unguarded as a picnic basket at a bear convention.  “HIPAA business associates must protect the privacy and security of the health information they are entrusted with by HIPAA-covered entities,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity includes ensuring that electronic protected health information is secure, and not accessible to just anyone with an internet connection.” In 2017, the sparklers were lit when a report emerged stating that iHealth Solutions had experienced an unauthorized transfer of protected health information from its unsecured server. This information wasn’t just your average email addresses and phone numbers – the information included confidential information, including patient names, birth dates, Social Security numbers, diagnoses, treatment information, and medical histories. The investigation detected a potential failure on iHealth Solution’s part to adequately assess risks and vulnerabilities to electronically protected health information across the organization. So, what’s the big *BANG* at the end of this fuse? A pretty hefty $75,000 civil monetary penalty, paid to OCR by iHealth Solutions. The company also agreed to a corrective action plan which includes several measures to ensure the protection of electronic protected health information. These steps include conducting a thorough analysis to identify risks and vulnerabilities, implementing a risk management plan, evaluating changes that affect the security of information, and revising HIPAA policies and procedures as required. As a finale, iHealth will be under the watchful eye of OCR for two years, ensuring its compliance with the HIPAA Security Rule. Abyde helps organizations avoid catastrophes precisely like this one. Abyde is like the super-organized neighbor who prepares for the 4th of July celebrations months in advance, ensuring everyone’s safety and enjoyment. They’re not in the business of barbecues and fireworks but rather in making HIPAA compliance as smooth and worry-free as a classic American apple pie. So, as we celebrate our independence this July 4, let’s remember that freedom should never come at the expense of our security, especially when it involves our personal health information. Here’s hoping your barbecues are hot, your fireworks are safe, and your servers are secure!

Best Practices, HIPAA

Outsourced Doesn’t Mean Overlooked

January 26, 2023 Comments Off on Outsourced Doesn’t Mean Overlooked

January 26, 2023 We get it. The hiring market is tough out there right now and when your main goal is providing the best experience for your patients, you will do whatever it takes to build a strong team. But before you go sailing the high seas to find your next hire, you might want to make sure they’re paddling in the same direction.  Are you considering outsourcing job roles to agencies that employ individuals in other countries? A company’s location and where its employees are located doesn’t necessarily mean they are or are not HIPAA compliant. As a practice, you are responsible for checking the company’s policies and procedures of any company you hire to ensure that they comply with all relevant regulations. If an organization outsources any function that involves access to PHI, it must have a written contract with the Business Associate. Here are some questions we recommend asking prior to working with an outsourced company: Let’s make sure all eyes are on the same prize – HIPAA compliance. Still not sure if you’re asking the right questions? Give us a buzz and we will walk you through the most important processes and policies to follow.

Why You Need a Business Associate Agreement
Best Practices, Business Associates, HIPAA

When & Why You Need a Business Associate Agreement

April 20, 2021 Comments Off on When & Why You Need a Business Associate Agreement

April 20, 2021 We’ve all heard the saying ‘sharing is caring’ but sometimes doing a good deed could actually steer you into some consequences later down the road. Let’s say, for example, you just loaned your car to your best bud whose “quick trip to the store” actually consisted of running red lights and racking up parking tickets. Though you might not have been the one in the driver’s seat – your name will be the one on all of the lovely fines that wind up in your mailbox, not your BFF’s. Now you’re probably wondering where we’re going with all of this. And while cars and protected health information (PHI) might not have a whole lot in common, it goes to show how certain situations in life require additional precautions to minimize the risk of being responsible for another’s wrongful actions. This idea rings especially true when it comes to working with and sharing something as valuable as sensitive health information. HIPAA law provides a pretty specific roadmap for how your practice should be safeguarding PHI and outlines certain standards that if not met – could result in a hefty fine. But with all the government requirements, advancements in technology, and changing patient needs – it’s impossible today to run a practice without the help of third-party vendors. So whether it be an outside medical billing company, IT support, or document shredding company – any vendor that comes into contact with PHI is a business associate (BA) of your practice and requires their own set of directions for proper handling.  Just as covered entities have obligations under HIPAA law, so do business associates – with one of the most important being a documented and signed Business Associate Agreement (BAA). A BAA is essentially a written agreement between your organization and the business associate, specifying each party’s responsibilities when accessing and maintaining PHI and it offsets the liability so that your practice can take a backseat if any incidents were to occur.  As you probably wouldn’t hand over your keys to just anyone without laying down some ground rules first, the same goes for providing access to patients’ sensitive health information. Like most contracts, the terms and conditions in a proper BAA can be pretty lengthy and may vary based on the type of vendor you’re working with – but here are some of the basic HIPAA requirements that should be outlined:  Permitted uses and disclosures of PHI Specific safeguards that the BA is expected to establish Breach Notification requirements Policies and procedures for providing PHI access at your practice’s or patient’s request Business Associate Training requirements Guidelines for how PHI should be returned or destroyed upon termination of the BAA Meeting all the requirements for what should be included in a BAA is just the first stretch of the drive, and something we’re often asked is, “What if one of my vendors refuses to sign?” Given the fact that having a signed BAA with all vendors you work with is a HIPAA requirement, it’s probably a good idea to put the brakes on any working relationship with a vendor who can’t agree to your terms and conditions. Just last year a medical practice found itself a victim of a HIPAA hit and run after filing a breach report stating that their EHR company was blocking access to the practices’ ePHI in exchange for $50,000 to be paid by the practice. While it might seem pretty obvious that the business associate was the driving force of the incident, because there was no BAA in place – the $100,000 in damage fell solely on the provider.  A Business Associate Agreement not only lays out the rules of the road for how PHI should be handled but holds the BA directly liable for any non-compliance that happens when they’re behind the wheel. Having a proper agreement in place with each and every vendor you work with ensures that they’re best protecting your patients’ PHI and means that your practice can steer clear of the hefty HIPAA fines if they don’t.

Business Associate Exposes 6 Million Records
Business Associates, Fines, HIPAA

OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 Comments Off on OCR Drops Another HIPAA Fine, Business Associate Exposes 6 Million Records

September 23, 2020 The Office for Civil Rights has been dropping fines left and right in the last week, releasing their 7th (and largest) HIPAA settlement earlier today and bringing their running total to seven fines in just 8 days. The latest violation came with a hefty payout of $2.3 million as well as an extensive 2-year corrective action plan – and not to mention a whole lot of apology letters to write.  The lucky winner of the latest HIPAA settlement is CHSPSC LLC, a business associate who serves a number of hospitals and clinics owned by Community Health Systems, Inc out of Tennessee. You may be thinking, “well no biggie, I’m a covered entity not a business associate so that wouldn’t be me,” but the 6 million+ patients affected and the reasons the OCR gave for levying a fine would beg to differ. Just like any covered entity might be, this business associate was the victim of a cyberattack that even after alarms were raised went unmitigated for months. As if that wasn’t enough, the OCR investigation discovered long standing non-compliance with the HIPAA Security Rule ultimately landing the business associate at the top of the most expensive 2020 fines list. On April 10, 2014, CHSPSC’s information system was infiltrated by a threat group that went unnoticed until the company was notified by the FBI 8 days later. The hackers continued to have a field-day, accessing the sensitive data for 4 months after the initial attack. CHSPSC’s continued disregard for implementing the necessary security protections required by HIPAA even AFTER receiving federal notice was described by OCR Director, Roger Severino, as “inexcusable”. The cyberattack affected 237 different covered entities served by CHSPSC and withdrew the PHI of 6,121,158 individuals including everything from names and birthdays to emergency contact information and social security numbers.  As if over 6 million patients records being taken wasn’t bad enough, an OCR investigation into the business associate found several gaps in their compliance program including:  It doesn’t matter whether you’re a healthcare provider, business associate, or just the average joe – falling victim to a cyberattack is fair game. Because business associates require the same HIPAA safeguard requirements as covered entities, no matter who gets hacked the OCR is looking for the same requirements and can hand out the same fines for either type of health related entity.  For providers especially, entrusting your patients sensitive data to your business associates comes with added risks. In this case, 237 covered entities had to find that out the hard way. While there’s no way to be 100% in the clear from things like cyber attacks, having the proper business associate agreements in place at least takes the liability of an incident off your practice’s hands. If you had been one of those 237 entities affected here, lack of an agreement could have put your practice on the same chopping block as CHSPSC. 

Who Qualifies as a Business Associate?
Business Associates, HIPAA

Who Qualifies as a Business Associate?

May 8, 2020 Comments Off on Who Qualifies as a Business Associate?

May 8, 2020 As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information. As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include: Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including: Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI.  Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders.  Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.

Missing Business Associate Agreements HIPAA Fine
Fines, HIPAA

Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Comments Off on Missing Business Associate Agreement with EHR Vendor Leads to $100,000 Fine

March 3, 2020 Announced today, a medical practice in Utah has come to a $100,000 settlement with the OCR for their failure to meet HIPAA requirements under the Security Rule. The practice of Steven A. Porter, M.D. received the $100,000 monetary settlement in addition to submitting to a corrective action plan over the next two years after a breach report led to the OCR’s investigation of the practice’s HIPAA compliance program.  The investigation began after the practice filed a breach report regarding a complaint against a Business Associate of the practice’s EHR company. The Business Associate (BA) was blocking access to the practices’ patient’s electronic protected health information in exchange for $50,000 to be paid by the practice.  While the original complaint was against the BA, once the investigation was initiated by the Office for Civil Rights, it was the practice that found themselves in the government’s crosshairs. Within the compliance review, the OCR had found that the practice had failed to do the following:  Unfortunately for the practice, their lack of proper safeguarding and documentation of compliance cost them a hefty fine and put their patient’s PHI at risk. This breach, and corresponding financial settlement, highlights that even when working with typical healthcare vendors, such as EHR providers, the right Business Associate Agreements and HIPAA-compliant policies are required to prevent impermissible safeguarding or access to PHI. OCR Director, Roger Severino, included a statement in the HHS press release regarding the incident. “All health care providers, large and small, need to take their HIPAA obligations seriously, the failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the healthcare industry.” This fine follows a recent article highlighting the OCR’s focus on “low hanging fruit” and commitment to address an ongoing lack of HIPAA compliance among covered entities. As these violations continue to see costly outcomes, it is more important now than ever to ensure your practice has a full HIPAA program in place. 

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X