HIPAA

Best Practices, HIPAA

Outsourced Doesn’t Mean Overlooked

January 26, 2023 Comments Off on Outsourced Doesn’t Mean Overlooked

January 26, 2023 We get it. The hiring market is tough out there right now and when your main goal is providing the best experience for your patients, you will do whatever it takes to build a strong team. But before you go sailing the high seas to find your next hire, you might want to make sure they’re paddling in the same direction.  Are you considering outsourcing job roles to agencies that employ individuals in other countries? A company’s location and where its employees are located doesn’t necessarily mean they are or are not HIPAA compliant. As a practice, you are responsible for checking the company’s policies and procedures of any company you hire to ensure that they comply with all relevant regulations. If an organization outsources any function that involves access to PHI, it must have a written contract with the Business Associate. Here are some questions we recommend asking prior to working with an outsourced company: Let’s make sure all eyes are on the same prize – HIPAA compliance. Still not sure if you’re asking the right questions? Give us a buzz and we will walk you through the most important processes and policies to follow.

Dental HIPAA Fines
Best Practices, HIPAA

Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 Comments Off on Brushing & Flossing Are Important to Your Practice, Too

January 19, 2023 You know the drill, no pun intended. The hygienist finishes a cleaning and hands the patient their goody bag full of all the fun things, including a toothbrush and dental floss. While this has become the norm for the practice and the patient, there is a good reason for it. Hygienists are taught to preach good oral hygiene, and it’s no secret that most patients that brush and floss regularly will experience better oral health and require less invasive treatment down the road.  But what about those patients who don’t follow the advice or over time fall out of best practice? Yes, we’re looking at you, guy who only flosses the night before their appointment. The patient is typically aware of their intermittent compliance but since they are asymptomatic, they continue hoping for the best and vow to do better after the next cleaning. Then as it usually does, life happens and they cancel their next cleaning. And with the best of intentions, they plan to reschedule but keep forgetting. Disease begins to take hold. If the patient is fortunate, they return to the office before the issue is too serious and it can be resolved with a relatively simple treatment plan. Those less fortunate may require more involved and expensive procedures. So you’re probably wondering by now, how does any of this tie back to Abyde, a healthcare software company? Well, we’ve brought in one of our Abyde Ambassadors to tie it all together.  Michael Wilgus shares his experience from the last 20 years in the industry. “Ironically, I have seen a similar scenario in hundreds of practices regarding HIPAA and OSHA compliance. A practice starts out with positive intent and implements what they believe is a strong and complete compliance program. Things get busy, there is turnover, and compliance gets pushed to the back burner. When violations or inspections occur (because they are not an if situation), they are usually due to a knowledge gap or are accidental, and may even be asymptomatic to the practice owner.”  With HIPAA, if an event is reported, the Office of Civil Rights (OCR) may choose to implement a corrective action plan (think treatment plan) for the practice. That plan can be expensive, time-consuming, and involve an OCR specialist monitoring your progress regularly for an extended period. The U.S. Department of Labor isn’t missing out on the fun either. They are actively ramping up their OSHA program by hiring more investigators and estimate their budget to increase by 14.7%, going from $612 Million in the fiscal year 2022 to $701 million in 2023. The average penalty levied on a dental practice in 2022 for a HIPAA violation was measured in the tens of thousands of dollars; one estimate shows it to be approximately $45,000. Sacrificing the net revenue from months’ worth of crowns is something most practices cannot afford. When it comes to OSHA, the punch-to-the-gut penalties are nothing to chuckle at. And let’s not forget the recent increase in these dollar amounts. Achieving and maintaining compliance when using services from Abyde takes less time than a patient should spend brushing and flossing, and if we can humble brag for a minute – we make it easy and fun! Brushing and flossing are not only good for your patients but are also good for your practice. Ready to get your practice’s compliance hygiene up to par?

January 2023 HIPAA Fine
Fines, HIPAA

With the first settlement announcement of 2023, OCR selects…

January 4, 2023 Comments Off on With the first settlement announcement of 2023, OCR selects…

January 4, 2023 We didn’t even make it through the first week of the new year before we saw the first settlement announcement. Yesterday, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced a settlement with a Georgia full-service diagnostic lab. The potential violation marks the 43rd associated with the HIPAA Right of Access Initiative to date. This is now the third Right of Access settlement we have seen in the last month.  The initial complaint was first filed back in August of 2021 when a personal representative was unable to obtain a copy of her deceased father’s medical records. While the lab finally complied in February of 2022, it took seven months for the requester to receive the records. The HIPAA right of access provision requires that patients be able to access their health information in a timely manner, typically within 30 days.  The lab has agreed to pay $16,500 and implement a corrective action plan to resolve this investigation. The corrective action plan includes two years of OCR monitoring. OCR Director, Melanie Fontes Rainer, shared her thoughts, “Access to medical records, including lab results, empowers patients to better manage their health, communicate with their treatment teams, and adhere to their treatment plans. The HIPAA Privacy Rule gives individuals and personal representatives a right to timely access their medical records from all covered entities, including laboratories.” While we all have the same goal in common – to provide the best experience for our customers and patients – that doesn’t always equate to direct care. Ensuring that their needs and requests are met is essential to the overall experience. From the first time they Google you all the way to a request for records, you are making an impression. And whether it’s the first impression or the last, don’t you want it to be a good one?

New Year HIPAA Compliance
Best Practices, HIPAA

NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 Comments Off on NEW YEAR’S RESOLUTION: BE COMPLIANT

December 22, 2022 The end of the year is right around the corner and while you’re enjoying the festivities with friends and family (we love a good holiday tradition!), you might already be thinking about New Year’s resolutions. And if you are, props to you for not being a procrastinator. We bet your goals for the year may include eating healthier and learning a new skill, but what about getting compliant? Ensuring your organization is HIPAA and OSHA compliant should be a top priority for every practice – and it’s an easy goal to check off your list! Here are some quick tips to help you start the new year off on the right foot:  Complete your annual Security Risk Analysis and Facility Risk Assessment  This should be your top priority as it is the first piece of documentation you will be asked for in the case of a HIPAA audit or OSHA investigation. The SRA sets a baseline for your organization by assessing all physical, technical, and administrative areas of risk and determining where your HIPAA program stands. Much like the SRA, the FRA is an assessment of your facility’s environment that will help to identify, minimize, and eliminate hazards in the workplace. Keep in mind that both the SRA and FRA must be documented and must be more than a generic checklist. They should provide you with actionable information and insights into all risks and hazards within your organization. Complete annual HIPAA and OSHA training All staff members including doctors and part-time employees must complete annual training. A best practice is to conduct training in a modular type format with a quiz at the end so you have documentation to prove that training has been completed. When it comes to OSHA training, each facility is different so you must incorporate site-specific training in order to address any site-specific hazards.  Update all Policies, Procedures, Programs, and Forms  This is a big one! Without proper documentation that accurately reflects all procedures within your organization, you are not considered to be compliant! If you have been using some templates you found online or have a dusty manual sitting on a shelf, this is your sign to trash it and update your policies to be practice-specific. Don’t forget to implement a plan to routinely review all policies with staff members so they are up-to-date with the latest information as well.  Get signed Business Associate Agreements  In order to be HIPAA compliant, run an inventory list of all vendors you work with that have access to Protected Health Information (PHI). Some examples would include your IT vendor, EHR/PM system, and encryption provider. Once you have gathered all vendor information, double-check that you have a signed Business Associate Agreement with them. If you do, great! If not, be sure to reach out to them right away. If you don’t have a BAA in place with every vendor then you run the risk of getting slapped with your own HIPAA fine if a breach occurs.  Update your Safety Data Sheets  When it comes to OSHA compliance, Safety Data Sheets are essential for tracking and managing any hazardous chemicals in the workplace. Make sure you have a Safety Data Sheet for any chemical which is known to be present in the workplace, in such a manner that employees may be exposed to it under normal conditions of use or in a foreseeable emergency. The big takeaway here – these MUST be readily accessible to all employees. If you do not have a safety data sheet for a particular chemical, you should contact the manufacturer to obtain one. And that’s it! If you follow these steps, there’s no doubt you will be in great shape when it comes to compliance. Still have questions or need help implementing a compliance program for your practice? Contact the experts (hey, that’s us!) at 800.594.0883 for all of your compliance goal-setting needs! While we might not be giving up Chick-fil-a, enrolling in a new gym, or even improving our culinary skills, our resolution always remains the same – make compliance the easiest part of running your practice.

Fines, HIPAA

A costly race against the clock

December 16, 2022 Comments Off on A costly race against the clock

December 16, 2022 On Thursday, the HHS Office for Civil Rights announced a settlement with a Florida primary care practice over a violation of the HIPAA Privacy Rule’s right of access provision. This marks the 42nd case under the Right of Access Initiative to date and the second settlement this week.  All the way back in mid-2019, a daughter, serving as personal representative, was attempting to retrieve her deceased father’s records. After multiple attempts, the practice failed to provide timely access. HIPAA’s right of access standard requires a covered entity to take action on an access request within 30 days of receipt. The practice exceeded that allotted time; the daughter received all requested records nearly five months after the initial request.  OCR Director, Melanie Fontes Rainer, stated, “The right of patients to access their health information is one of the cornerstones of HIPAA, and one that OCR takes seriously.”  The FL primary care practice has since paid its $20,000 fine to the OCR and is working to implement a Corrective Action Plan. The plan will be closely monitored over the next two years and includes updating, distributing, and training on all applicable policies and procedures.  In the age of immediacy, there is no exception when it comes to patient record requests. When a patient requests access to their records, prioritize their request. You have 30 days to take action or you could face not only an OCR investigation but a big fine – one we bet is not worth rearranging your priorities to put the patient first.

Corrective Action Plan Fine
Fines, HIPAA

Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 Comments Off on Fool me once, shame on you… Fool me twice, here’s a Corrective Action Plan

December 16, 2022 On Wednesday, the HHS Office for Civil Rights announced a settlement with a California dental practice over impermissible disclosure of patient-protected health information (PHI). The practice faces potential violations of the HIPAA Privacy Rule by inappropriate use of social media to respond to patient reviews and disclosing protected health information.  OCR Director, Melanie Fontes Rainer, stated, “This latest enforcement action demonstrates the importance of following the law even when you are using social media. Providers cannot disclose protected health information of their patients when responding to negative online reviews.”  The practice faces a lofty fine of $23,000 and a Corrective Action Plan that will be monitored by the OCR for the next two years. Within the CAP, the practice is responsible for updating and maintaining all policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information. Additionally, all members of the staff must receive training within 30 days of the updated policies and procedures to comply with the Privacy Rule within 30 calendar days of the implementation of the policies and procedures.  This is the second offense for the same office in the last 5 years. In November 2017, the OCR received a complaint regarding impermissibly disclosed PHI in online review responses. The protected health information included patient names, treatment, and insurance information. Through the investigation, the OCR found other violations including failure to provide an adequate Notice of Privacy Practices and implement Privacy policies and procedures.  As a word of advice from your HIPAA and compliance experts, review all PHI and Privacy Rule policies and procedures with any members of your staff that handle online reviews and social media responses. And while you’re at it, for those of you who may use a third party to handle reputation management, check those Business Associate Agreements, and remind them of our best practices.

HIPAA Internal Communication Dos and Don’ts
Best Practices, Cybersecurity, HIPAA

Internal Communication Dos and Don’ts

October 6, 2022 Comments Off on Internal Communication Dos and Don’ts

October 6, 2022 Have you ever accidentally sent a text to the wrong person? Most of us have and it likely made your heart skip a beat! Now, imagine sending a text and thousands of patients’ health information gets leaked. Talk about a gut-wrenching moment! Speaking of leaks, did you know that over 1.14 million people have been impacted by a protected health information (PHI) breach just last month alone? The leaked data includes names, social security numbers, phone numbers, email addresses, and more. That’s 7% higher than last September!  Internal communications are an efficient means of sharing and exchanging information within the practice. Employees communicate internally through channels like SMS, email, phone calls, and other means through the use of a third-party platform like Slack, Microsoft Teams, Zoom, and Cisco Webex. And while oftentimes we like the thought of quick and easy, it’s crucial to take that extra minute or two and double check that you are using a secure provider for all internal communication.  First things first, if you haven’t already done so, take this as your sign to reach out to your communications provider and ask if they are HIPAA compliant. Many times, companies will have this information available on their website as well. Keep in mind that some providers, like Google and Microsoft, offer HIPAA compliant services in an upgraded package. If you are not using a secure platform, or you are unsure, then you should not be discussing ANY patient information through that method of communication (yes, that includes names!). If you are using a secure, HIPAA compliant provider or application for internal communication, great! The next very important step is to double check that you have a signed Business Associate Agreement.  You may also be wondering about SMS/ text messaging within your organization. Staff members should not be texting each other with information related to patients, even if it is related to scheduling. Keep all work-related communication through your secure provider or application.  Quick reminder! Just because you are communicating internally through a secure provider does not in fact mean you are compliant. You’ll also need to implement security policies and procedures in order to follow best practices. These policies and procedures should include:  It is highly recommended that you consult with your IT professional for best practices on securing all applications in your practice.  Lastly, It’s important to remember that HIPAA is not a barrier law and, in fact, is intended to help you share protected health information securely and efficiently. Being efficient within your practice can help the overall health of your patients and your organization. Having these best practices in place will help you and your team avoid the anxiety of sharing something that shouldn’t be shared.

Dental Patient Right of Access
Audits, Fines, HIPAA

OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Comments Off on OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

September 21, 2022 Boom! Pow! Bang! Three dental practices were sacked yesterday, resulting in nasty bruises and a loss of yards on the play. After heading into the locker room and studying some film, they recognized there were some lessons to be learned in the OCR’s HIPAA Right of Access playbook. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of three investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. The OCR’s HIPAA Right of Access Initiative started in 2019 to ensure patients receive their records in a timely and costly manner. With three actions in one day and a total of 20 just this year, we are seeing a 42% increase year over year in the enforcement of the Privacy Rule. The OCR’s effort has now raised the total to 41 Right of Access actions across the span of 3 years, setting a strong example for practices across the country on the importance of maintaining compliance. OCR Director, Melanie Fontes Rainer, states, “Patients have a fundamental right under HIPAA to receive their requested medical records, in most cases, within 30 days. I hope that these actions send the message of compliance so that patients do not have to file a complaint with OCR to have their medical records requests fulfilled.” Here is an instant replay of when three dental practices crossed the line of scrimmage:  The first dental practice had a delay of game penalty after failing to provide timely access to their former patient’s records. The former patient didn’t receive a complete copy of their records until October 2020, five months after they filed a complaint back in May 2020. This resulted in a $30,000 settlement and the implementation of a Corrective Action Plan. The second dental practice got a 15-yard penalty for not providing a patient with a copy of her records in a timely or costly manner. The practice refused to provide the records because the patient wouldn’t pay the $170 copying fee. That’s not a fair catch! After the OCR got involved, the dental practice had to cough up $80,000 in settlement and adopt a Corrective Action Plan. Maybe they should’ve read the HIPAA Rule book! The starting running back fumbled the ball when this practice failed to provide a mother and her son with copies of their PHI until after the play clock hit zero. After multiple requests and eight months of waiting, she finally got the medical records in her hands. The dental practice had to fork over $25,000 and implement a Corrective Action Plan. After watching the game footage, there is a clear solution here! Make sure your practice provides patients with timely and costly access to their medical records. Six dental practices have been sacked so far in 2022, which means we have already witnessed a 600% increase solely in the dental space compared to the 2021 season. That is not a statistic you can ignore! You could be next, so we encourage you to make sure you have the right compliance measures in place to avoid these large fines. Is your game plan ready?

OCR Settles Case Concerning Improper Disposal of Protected Health Information
Fines, HIPAA

OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 Comments Off on OCR Settles Case Concerning Improper Disposal of Protected Health Information

August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice,  the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.

OCR Announces Eleven HIPAA Right of Access Fines
Fines, HIPAA

OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Comments Off on OCR Announces Eleven More HIPAA Right of Access Settlements

July 18, 2022 Waking up every morning is an eye-opening experience. Do you know what else is an eye-opening experience? Waking up to see all of the enforcement investigations the OCR launched against practices like yours. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the completion of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative. Under the HIPAA Privacy Rule, the OCR launched this effort to assist individuals’ right to timely access to their health records at a reasonable cost. HIPAA provides individuals with the right to view and get copies of their health information from their healthcare providers and health plans. A HIPAA-regulated entity has 30 days after receiving a request to provide an individual or their representative with their records in a timely manner. OCR Director, Lisa J. Pino, states, “Health care organizations should take note that there are now 38 enforcement actions in our Right of Access Initiative and understand that OCR is serious about upholding the law and peoples’ fundamental right to timely access to their medical records.”  Practices are no longer sneaking under the radar! The Office for Civil Rights (OCR) just concluded its thirty-eighth enforcement action since the HIPAA Right of Access Initiative began in 2019. Totaling over $646,000 across eleven penalties, the announcement of the verdicts includes eleven cases. Here is a brief breakdown of a couple of the cases just released by HHS:  The first dental action includes a $5,000 settlement for failure to comply with the Right of Access provision stating covered entities must permit individuals to inspect and obtain a copy of their PHI. An eye care practice made the mistake of not providing a copy of a patient’s medical records until three days after the OCR investigated. Now that is crazy! To settle a potential violation of the HIPAA Privacy Rule right of access standard, the practice agreed to take corrective actions and pay $22,500. Something as simple as not giving your patients access to their data quickly enough can result in a huge fine! One not-for-profit health system learned the hard way by not responding timely enough to a complainant’s access request. This cost the health system a whopping $240,000!  So, whether it’s responding to a request or delivering that request on time, you need to make sure your practice is on point to avoid these heavy penalties. As we can see the queen bee (Lisa Pino) isn’t joking around on pushing the OCR’s  HIPAA Right of Access Initiative across practices, we encourage you to ensure you have the right HIPAA compliance measures in place. So what’s the holdup? For less than a scratch-off ticket a day you can save your practice from those sneaky fines and become friends with Abyde today!

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X