HIPAA

HIPAA Compliant PHI Disposal
Best Practices, HIPAA

Disposing of PHI: Why, What and How

August 27, 2020 Comments Off on Disposing of PHI: Why, What and How

August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of?  Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network).    RELATED: So You Have PHI to Dispose of – Now What?  What is considered proper digital data disposal?  Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored.  Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.

Asset Log HIPAA
Best Practices, Cybersecurity, HIPAA

OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Comments Off on OCR Highlights Asset Log as Key HIPAA Recommendation

August 25, 2020 Earlier today, the Office for Civil Rights (OCR) sent out their seasonal Cybersecurity Newsletter on a very timely and relevant topic – the importance of keeping track of devices that contain electronic protected health information (ePHI). The OCR’s newsletter highlights two important things for independent practices: first, that having an asset log is the recommended method for tracking and thus safeguarding devices that contain ePHI, and second, that the OCR views practice’s lack of knowledge around where their devices are as a key area of concern. Part of the HIPAA Security Rule, practices are required to implement the necessary technical safeguards covered in the Security Risk Analysis (SRA) – including encrypting and securing their devices that contain sensitive ePHI. While an asset log isn’t directly required under HIPAA, the OCR highly recommends the creation and maintenance of an IT asset inventory to better understand where ePHI may be stored and strengthen overall compliance with these requirements.  What does an Asset Log entail? We know it’s hard to keep tabs on everything within your practice, but when it comes to your devices keeping inventory is key. As the OCR’s newsletter highlights, the asset log should be a comprehensive list of all IT assets with corresponding descriptive information. The OCR notes that this list could include ALL devices, even those that don’t access ePHI directly, as they could contain ePHI unknowingly or be an entry point for cyberattackers to your network. Your list should include: When documenting these assets, Abyde recommends including all the following information:  Additionally, it is important to regularly update your asset log as devices are moved around by location or by assigned staff members. Just like an SRA, your asset log should not be a ‘one and done’ project, and should instead be reviewed regularly. You should also track when devices are disposed of, as properly disposing of devices that contain ePHI is a common cause of HIPAA violations.  No matter the size of your practice, creating and maintaining a thorough asset log isn’t an easy task. With a program like Abyde, our built in Asset Log covers all the OCR recommendations and then some – helping you track devices at high risk and making your IT inventory intuitive. Having the ability to access your asset log within a cloud-based solution like Abyde makes reviewing and updating inventory a breeze, and helps ensure you’re complying with all the right technical safeguards.  

Be Prepared for a HIPAA Audit
Audits, HIPAA

Top 6 Ways to Be Prepared for a HIPAA Audit

August 14, 2020 Comments Off on Top 6 Ways to Be Prepared for a HIPAA Audit

August 14, 2020 Let’s be real – there’s probably a few things in life we all have an“Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits – yet HIPAA investigations are becoming more common than you might think.  While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints- none of which a medical practice is immune to. Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top 6 things you should have in place BEFORE a breach, complaint or audit investigation occurs: 1. Security Risk Analysis The first thing the OCR looks for upon investigation is a properly documented and up to date Security Risk Analysis (SRA). This shows that you’ve assessed your practice operations and identified any vulnerabilities – BEFORE an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement. 2. Practice-Specific Policies & Procedures Proper documentation is key for all aspects of your compliance program including your practice specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization.  3. Disaster Recovery Plan Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail. 4. Implement Proper Administrative, Technical and Physical Safeguards Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements – and ultimately protecting your patients. 5. Staff HIPAA Training Properly train your workforce on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations. 6. Business Associate Agreements It’s important to be on the same page with everyone that has access to your patient’s secure information. Implementing the proper business associate agreements (BAAs) with all third party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach. There’s a lot that goes into your HIPAA program, even more than the top 6 items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patient’s data.

Windows 7 HIPAA Risk
Cybersecurity, HIPAA

OCR Alert: Windows 7 a Growing Risk for Cyberattacks

August 13, 2020 Comments Off on OCR Alert: Windows 7 a Growing Risk for Cyberattacks

August 13, 2020 Have you updated your Microsoft Windows version recently? If your answer is no, then you might be at a greater risk of experiencing a cyberattack. The Office for Civil Rights (OCR) in partnership with the FBI sent out an alert just this morning regarding the increase in cyberthreats to outdated computer networks, specifically the Windows 7 operating system (OS).  Windows 7 went end of life (meaning it is no longer supported or patched by Microsoft) in January of this year. Because it is no longer monitored or supported, the OS is missing the necessary security updates to continuously protect against hackers. Utilizing the outdated system dramatically increases the risk of cyberattackers accessing your computer systems – including the sensitive patient data they house.  In their alert, the OCR expands on the various vulnerabilities that come from failing to safeguard your practice’s computer network by continuing to use Windows 7, including that: Other factors that increase the current risk include the shift to working remotely and the less secure network connections typically used at home. It is highly recommended to upgrade any outdated computer systems as soon as possible to reduce risk. In addition to updating your operating system, ensure your anti-virus and firewalls are all up to date to best protect your devices from outside threats.  While updating core operating software may mean additional costs and resources, the OCR emphasized the importance of following their recommendation in their alert, stating that, “these challenges do not outweigh the loss of intellectual property and threats to an organization.” While HIPAA does not specify a required operating system, meeting required technical safeguards does include keeping your systems secure and as protected as reasonably possible from cyber threats. In this case, that means having an active OS that is still receiving critical security updates. We highly recommend protecting your critical patient information and upgrading any systems necessary as soon as possible.  

Offboarding and HIPAA
Best Practices, HIPAA

Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Comments Off on Recently Offboarded Staff? Don’t Forget About HIPAA Requirements

August 6, 2020 Many practices have an organized system for welcoming a new employee to the team. Usually, new staff is an exciting addition, and you’ve likely got your welcome bag, name tags and business cards at the ready. But, when it comes to the end of an employee’s life cycle at your practice – not uncommon in 2020 due to COVID-19 – the process may not be as exciting or as organized. The uncertainty that surrounds having to terminate an employee can be messy, leading to paperwork and processes being executed in haste. In this hurry, mistakes are often made leaving sensitive patient data exposed to unauthorized recipients. Even if you have the best intentions and think it’ll never happen to you, data breaches continue to surface stemming from improperly terminated access. Whenever you part ways with a former workforce member, full offboarding measures must be taken to ensure full protection of your practice as well as your patient’s data. The HIPAA Security Rule specifically details the required termination procedures in Section 142.308(a)(11) as the “formal, documented instructions for ending employment and closing off internal and external access.” This removal of access can be done by implementing the following offboarding actions: Even for former employees, documentation is still essential when it comes to HIPAA compliance. Your practice should keep all HIPAA training certificates on file for up to 6 years even if terminated. If a breach occurred prior to an employee’s termination, or an audit occurs even after termination, you will need to produce a copy of the training certificate to prove that each staff member was properly trained at the time.  Other steps that should be taken on a regular basis to help improve the security within your practice as well as help ensure a smoother offboarding process include:  You may have a system in place for offboarding, but if you’re a busy practice there’s no harm in waiting a month or two to make sure access is revoked, right? Well…not so much. Every day that your former staff still have access to PHI is not only another day of increased risk, but also a major concern if ever audited or investigated by the OCR. In fact, failing to properly implement these procedures when offboarding employees has been the catalyst for multiple HIPAA breaches. In 2018, a Colorado Hospital found themselves in a HIPAA violation costing them $111,400 after terminating an employee without proper offboarding. The employee was not removed from the hospital’s online-based scheduling calendar which contained PHI – ultimately allowing continued access to the PHI of almost 600 patients. Along with the former employee’s access, it was found that the medical center’s web-based scheduling calendar vendor also received access to PHI without the proper Business Associate Agreement in place. In response to this settlement OCR Director, Roger Severino emphasized that “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Equally as important as staff is properly offboarding any vendors your practice worked with. If any of your vendors have any access to your practice both physically as well as electronically they must be properly removed when your work contract is terminated. Things like disabling remote access to servers from any accounts with administrative privileges are often overlooked and can be a huge risk for data breaches and HIPAA violations. In fact, having a proper Business Associate Agreement in place with these vendors puts them on the hook for removing access and returning or destroying any PHI they may have had or created on behalf of your practice. Having a comprehensive plan from the start to finish of an employee’s time at your practice will have a huge impact on ensuring the security of the sensitive patient information within your organization. While you most likely won’t have to deal with an employee gone rogue, being proactive and making certain that there are no loose ends when it’s time for a staff member to leave will help make the offboarding process seamless and stress-free.  

COVID-19 Public Health Emergency Extension
Best Practices, HIPAA

HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 Comments Off on HHS Extends National Public Health Emergency & Limited HIPAA Waivers

July 30, 2020 COVID-19 has made 2020 feel like both the shortest and longest year ever, and if rising cases are any indication it’s not likely to let up anytime soon. You may have already expected our ‘new normal’ of mask-wearing, keeping a 6-foot distance, and HIPAA waivers to be here for the long haul, and the recent Department of Health and Human Services (HHS) extension of the National Public Health Emergency solidifies that notion. Just last week the HHS announced the renewal of the National Public Health Emergency and an extension of limited HIPAA waivers until October 23, 2020. This declaration means more than continued social distancing rules, and also extends the many other waivers and flexibilities issued by the HHS in the initial response to the pandemic. These waivers work to mitigate the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to protect their practice and continue serving their patients. To give a recap on everything that’s been changed or updated in lieu of COVID-19: In addition to the specific waivers granted in response to the pandemic, practices should be aware of additional guidance covering the expansion of cyber security attacks in response to increased remote operations, reminders on restrictions of sharing patient information to the media, and proactively safeguarding against the recent rise in patient complaints due to COVID-19.  As part of the recent extension of HIPAA waivers, the HHS has specified a 90-day period until waivers are expected to be lifted. Practice’s now have a clear timeframe of when they need to implement HIPAA compliant solutions for tools like telehealth which may currently be done using a non-compliant software. To prevent a HIPAA violation as these waivers end in October, it’s important that your practice proactively prepares by: While these HIPAA regulation flexibilities have been extended, they aren’t going to last forever. Keeping your practice one step ahead will make all the difference in your ability to avoid any HIPAA violations or fines as standard regulations take effect again. If HIPAA hasn’t been your number one priority over the past few months, you should start now and use this 90-day extension to ensure you have a complete compliance program in place, especially as 2020 continues to fly by.

Two Major HIPAA Fines
Fines, HIPAA

OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Comments Off on OCR Levies Two HIPAA Fines Totalling $1,065,000 Amidst COVID-19

July 27, 2020 Even in the midst of COVID-19, the Office for Civil Rights (OCR) hasn’t let up on finding and enforcing HIPAA violations. Within just this past week, both a small healthcare provider along with a larger health system found themselves facing HIPAA violations that resulted in hefty fines – $25,000 and $1.04 million, respectively – as well as extensive corrective action plans.  Continued Disregard for HIPAA A small practice based out of North Carolina, Metropolitan Community Health Services (d/b/a Agape Health Services) filed their initial breach report all the way back in 2011 when there was an impermissible disclosure of PHI to an unknown email account. While the violation may have been triggered by an impermissible disclosure of protected health information (PHI), the OCR’s hammer was brought down in large part by the practice’s continued disregard for HIPAA requirements and protections for their patient’s PHI. The disclosure impacted over 1,000 patients and the practice’s report opened the doors to an OCR investigation of their entire HIPAA program. The investigation shed light on the practice’s failure to comply with various HIPAA Security Rule regulations, including: Even after reporting the breach in 2011, the practice didn’t implement these missing HIPAA requirements in any hurry. Staff weren’t trained properly on HIPAA until 2016 – five years after the initial complaint was reported. The lack of progress made to safeguard their patients’ information resulted in the OCR levying a $25,000 fine years after the impermissible disclosure took place, in part as a result of continuously failing to mediate the gaps in their HIPAA program. OCR Director, Roger Severino, emphasized the practice’s lack of effort in his statement accompanying the press release. “Health care providers owe it to their patients to comply with the HIPAA Rules. When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” This fine highlights that it is imperative to not only have a comprehensive HIPAA compliance program in place before a breach occurs, but also ensure that safeguards are implemented after a breach has been identified – the OCR has made it clear that showing a lack of progress is one way to guarantee you end up in their crosshairs.  Unencrypted Laptop The second violation involved a large healthcare system in Rhode Island, Lifespan ACE, and resulted in a whopping $1,040,000 resolution agreement. Back in 2017, a Lifespan employees’ car was broken into and a single unencrypted laptop containing patient information from various entities within the healthcare system was stolen. This data breach led to the impermissible disclosure of over 20,000 individuals PHI and opened the doors for the OCR’s further investigation. Upon investigation, it was found that they were missing various elements of their HIPAA program including:  Because the laptop was not encrypted, a single technical safeguard that could have prevented the violation, the PHI of any patient that was accessible using the device was at high risk for misuse. Part of the OCR’s investigation revealed “systemic non-compliance” with HIPAA, including various other media and device controls such as proper encryption. “Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” added Roger Severino, OCR Director in the news release. This fine emphasizes that even when theft is outside of a covered entity’s control, the responsibility still falls on the provider to properly encrypt and safeguard that valuable data. While preventing every single possibility of a data breach might be unrealistic, maintaining a proactive HIPAA compliance program that meets federal requirements and includes all appropriate encryption and technical safeguards is achievable. Ensuring you have a complete program with all aspects of HIPAA reviewed and implemented is key – and stress-free when done with an intuitive software solution like Abyde.  

Requirements for HIPAA Training
Best Practices, HIPAA

Requirements for HIPAA Training

July 22, 2020 Comments Off on Requirements for HIPAA Training

July 22, 2020 You know the saying ‘teamwork makes the dream work’? The same goes for HIPAA compliance within your practice, too. The easiest way to make sure everyone is on the same page is to implement a comprehensive HIPAA compliance training program. HIPAA training is key to securing your patients’ information and instilling a culture of compliance within your organization. Compliance is a group effort, and ensuring that all workforce members have a full understanding of their HIPAA responsibilities will limit the accidental exposure of protected health information (PHI) and avoid potential high dollar settlements for the practice.   58% of healthcare breaches involve practice employees, and these breaches are largely a result of employees improperly disclosing patient information, the mishandling of medical records, losing devices containing electronic protected health information (ePHI), or a general lack of training. This makes education a key aspect in preventing improper access or misuse of PHI. Unfortunately, the Office for Civil Rights (OCR) doesn’t provide any lesson plans or online training classes – leaving the burden of providing proper education completely on your practice. Here are a few key points to keep in mind when it comes to the “who, what, when, and how” of employee training. Who needs to be trained?  All workforce members, part-time, contract, or full-time, that come into contact with protected health information must be properly trained. This includes providers as well. HIPAA law states that training must be done “as necessary and appropriate for the members of the workforce to carry out their functions.”  Some staff members, like your practice’s HIPAA Compliance Officer, should be trained more frequently than the rest of the staff and the material should be specific to their HCO duties. What needs to be included in the training?  HIPAA doesn’t specify any particular topics that should be covered or what timeframe they should be addressed in, but training should be designed around what a staff member needs to know in order to perform their job function. That might include new employee training that covers the basics and additional training that dive more deeply into the nuances of how HIPAA impacts the staff’s daily job roles. Common HIPAA training topics include: When should employees be trained?  While HIPAA does not technically specify the timeframe of ongoing training, most agree that annual training is the appropriate timeframe to keep HIPAA top of mind for staff. In addition, any new employees must complete initial training on HIPAA within a reasonable time after being hired – this is recommended within the first 90 days of employment. HIPAA training should be a key part of the employee onboarding process to ensure compliance. It will also set the standard that HIPAA compliance is important to your practice.  How long must each training be?  There’s no specified length of training regulated by HIPAA, but the length must be sufficient enough to cover all the necessary materials. The quality of the information being provided as well as the effectiveness of how it is taught is the most important aspect of proper training. This could mean a shorter but more engaging training, such as an animated video and interactive quiz. There’s also no specifics that identify if training must be completed individually or as a group. Utilizing training videos may help your practice avoid losing valuable patient time by letting staff complete training on their own time. What is required to document training? One of the most important aspects of completing HIPAA training is to document each staff member’s completion. When it comes to HIPAA, document, document and document some more. It is key to providing proof of compliance if ever audited or breached. For training, a certificate of completion showing who completed the training and when it was completed will show all needed information. Offering a modular-type training format, such as a quiz after training, is important for showing that employees retained the material. Unpacking HIPAA means peeling back a lot of layers, and ensuring that each employee is properly trained on HIPAA’s nuances to fully understand what’s needed to be compliant may seem daunting. A solution like Abyde makes HIPAA training as easy as a click of a button, sending animated training videos that keep HIPAA fun and engaging. No matter the training solution your practice chooses, make sure it meets all HIPAA requirements and most importantly delivers content in a way that will be retained and understood by your employees. 

Best Practices, HIPAA

My EHR system makes me HIPAA compliant, right?

July 16, 2020 Comments Off on My EHR system makes me HIPAA compliant, right?

July 16, 2020 Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t utilize an Electronic Health Records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctor’s offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA compliance requirements to protect the sensitive patient data held within it. But is that where HIPAA compliance begins and ends?  A common misconception many providers have, however, is that implementing a HIPAA compliant EHR ensures their practice is in compliance with all standards  – instead, it’s just one piece of the much larger puzzle. Make no mistake, having a HIPAA compliant EHR is essential. There are a number of safeguards that should be implemented to protect your EHR’s electronic data, such as:  While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility, and all technology used within the organization – including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections – administrative, physical, and technical safeguards – are so essential to ensure every aspect of your business’ risk is assessed. Even non-HIPAA experts can conclude that having a HIPAA compliant EHR system is a no brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within  Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor – it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation. 

HIPAA Compliant Marketing for Healthcare Practices
Best Practices, HIPAA

HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Comments Off on HIPAA Compliant Digital Marketing for Healthcare Practices

July 8, 2020 Nowadays, you can shop online for anything – from chopsticks that double as LED lightsabers to a wig for your dog (seriously, we’re not kidding), and shopping online for a healthcare provider is no different. The internet plays a key role in a healthcare consumer’s decision making, in fact, according to a study released by the Pew Internet & American Life Project, “80 percent of Internet users, or about 93 million Americans, have searched for a health-related topic online.” Let’s face it, we use the internet for basically anything and everything nowadays especially as we continue to adapt in today’s COVID-19 world, which is why it’s important for your practice to understand what is and isn’t allowed when it comes to HIPAA compliance and online marketing.  Using online marketing as a tool can be extremely beneficial for practices. Most medical practices have a website and many use social media and email marketing as tools to reach potential patients – ensuring you are utilizing these platforms in a HIPAA compliant manner is imperative to marketing in the right ways while still ensuring the privacy of your patients and security of your practice. Whether it be for your practice website, social media page, or advertisement – if you would like to use any type of patient information there are some strict guidelines to follow: Your Practice Website Having a HIPAA compliant website for your practice enables patients to search for information regarding the services that you provide, and ultimately drive new patients to you. The following are some key tips to follow when creating and maintaining the website for your practice:   Email Marketing  If choosing to use email marketing to engage with patients there are some key safeguards you must take to ensure you’re protecting your patients’ information and aren’t setting yourself up for a HIPAA violation:  Social Media  Nowadays social media platforms play a large role in consumers’ decision making. Having a strong social media presence can be a great asset to your practice, but in order to use social media to your advantage, you should follow these guidelines:  Where marketing regulations get tricky is patient reviews or comments on digital platforms. While patients are able to post a review or comment about your practice, you cannot respond in any capacity that ties the patient to your practice. A dental practice in Texas was faced with a $10,000 fine along with a 2-year corrective action plan after they responded to a patients’ Yelp review. The practice had responded to multiple reviews the investigation found, disclosing patient information including names, medical diagnoses, and more and was only hit with a small fine due to their immediate cooperation with the Office for Civil Rights. On top of ensuring that you’re meeting all the criteria for a safeguarded online presence, you should also create a well-documented strategy that clearly outlines what’s permitted and what isn’t for your staff. This should cover the necessary policies and procedures for marketing to patient’s whether it is done online, over the phone, or in person.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X