PHI

HIPAA Compliance Email Safety
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Email Safety

April 22, 2024 Comments Off on Compliance Catastrophes: Email Safety

April 22, 2024 Good morning! We hope we can cheer up your Monday blues with the announcement of our new educational series, Compliance Catastrophes: real-ish world examples of nightmare scenarios!  Throughout this week, we’ll be releasing blogs and videos on common breaches of Protected Health Information (PHI) in healthcare, giving you the tips you need to stay secure.  We’re starting our series with one of the most common HIPAA breaches: email scams.  Email scams are very prevalent, with 91% of cyberattacks beginning with a phishing email. Phishing attempts are the most common form of cybercrime, with 3.4 BILLION spam emails sent daily.  Now, before we get too far, let’s clear up any misconceptions. Phishing attempts are unfortunately not a Saturday night getaway on a boat with your friends catching fish, it’s much more like casting a lure of fake urgency or importance to try and ‘fish’ for personal information, like PHI. You might think that you could never fall for a phishing scam, but let me tell you, it happens quite often.  Let me introduce you to the star of the week, Catastrophe Cathy.  A One-way Ticket to a Breach Cathy was scrolling through her email, and she couldn’t believe her eyes! Her boss sent her an email offering her a week’s vacation to Italy! All she had to do was claim it by clicking the link listed at the bottom of the email.  She was sold! It looked real; it said it was from her boss, Bob, and it even had his email signature!  As she clicked the link, the malware began to work its nefarious magic – infecting her computer and getting access to PHI.  Her dreams of seeing the Leaning Tower of Pisa came crashing down. Once she realized there was no trip. She panicked! What was she going to do?  Email Safety 101 Now, we can be like Cathy if we aren’t careful when checking our emails!  Falling for these phishing scams affects over 300,000 people a year, yielding over $50 million in losses.  First, an always good rule of thumb: If it’s too good to be true, it’s not. Sorry, or scusa (sorry in Italian) Cathy!  Next, always check who is sending the email. While it looked like it came from Bob the Boss, if she looked at the email address, she would have seen it came from Stevethescammer@email.com! Hackers pretending to be someone else at your organization is a very common practice known as spoofing.  Lastly, if you see any odd links or attachments, never click them, report them as spam, delete them, and, if applicable, forward them to your organization’s phishing email!  Phishing scams have also made a recent detrimental impact on healthcare. The OCR settled its first phishing cyber attack investigation, costing the Lafourche Medical Group $480,000!  Reel in Control Now, if you find yourself falling for an email scam, the first thing you need to do is to alert your team. You might be embarrassed, but it’s brave to admit you’re wrong, ensuring others don’t fall for a similar attack, too.  The most important step right now is to disconnect your device from the internet. Think of it like putting up a “closed for business” sign. This cuts off the hackers’ access and prevents them from finding more information on your network.  Loop in your IT team or IT provider, and follow company procedures for a cyber attack. Of course, notify patients affected by the breach, and report the breach in your Abyde software and to the OCR. Also, since it is a phishing attempt, you can report it to the FTC.  To learn more about common breaches, stay tuned to our blogs and videos this week! Follow us on social media to be the first to see the latest compliance news, and if you have any questions, email us at info@abyde.com. 

Kate Middleton Healthcare Breach
HIPAA

Royal Blunder: What the Kate Middleton Breach Teaches Us About Patient Privacy

April 5, 2024 Comments Off on Royal Blunder: What the Kate Middleton Breach Teaches Us About Patient Privacy

April 5, 2024 Today, we’re talking about some international news.  Once again, get your passport ready, because we’re taking a trip to the land of Big Ben, Buckingham Palace, and of course, the British monarchy.  The British monarchy, spanning over 1200 years, has long been a symbol of the United Kingdom.  You might have heard a lot of buzz about Kate Middleton’s health concerns over the last several months, with intense interest and curiosity regarding her recent absence from the public.  People searching for answers became pandemonium, and rumors flourished, with millions rabidly looking for answers.  Weeks after the introduction of  ‘KateGate’, the Princess of Wales addressed the public, in a heartfelt video message, revealing her recent cancer diagnosis.  However, this personal update was unable to be done on her terms. Hospital staffers searched for her private medical records, violating the princess’s privacy.  Today, we’re talking about a topic that hits close to home for everyone: that everyone, including royalty, deserves their Protected Health Information (PHI) to be secure.  A Royally Big Problem As a result of the media frenzy regarding the princess’s whereabouts, there was an unfortunate breach of protocol, with her information being searched for by three hospital staffers at the London Clinic after her surgery in January.  These staffers have received disciplinary action and have been suspended.  The CEO of the London Clinic, Al Russell has released a statement on the matter, “There is no place at our hospital for those who intentionally breach the trust of any of our patients or colleagues.” The United Kingdom and Europe have similar legislation to HIPAA, protecting the privacy of its citizens, to learn more about their laws, read this linked article! An investigation was opened up by the Information Commissioner’s Office, or ICO. Similar to America’s Office for Civil Rights, or OCR, the ICO investigates data protection violations and has the power to enforce laws.  They received a breach report at the end of March, and more information is soon to come.  However, Kate Middleton is no stranger to healthcare breaches.  A similar breach occurred over a decade ago when she was pregnant with her first child. When she was hospitalized for morning sickness, medical staff accidentally shared detailed medical information with callers they thought were Queen Elizabeth and (now King) Prince Charles. These callers weren’t royalty at all, but radio hosts!  What can we learn from this?  While we don’t have a monarchy stateside, it does serve the valuable lesson that even members in the public eye deserve their protected health information to be private.  Ensure your practice has access controls set up, ensuring that information is only accessible to the ones that need it.  Additionally, ensure staff is properly trained, knowing best practices in any situation.  The Kate Middleton incident serves as a stark reminder of the constant vigilance required to safeguard patient privacy. By learning from past mistakes and implementing extensive security measures, like compliance software like Abyde, healthcare practices can create a culture of compliance. This culture of compliance empowers staff to make informed decisions and protect health information. To see how your compliance currently stands, email us at info@abyde.com and schedule a consultation here.

HIPAA Disclosure Standards
Best Practices, HIPAA

HIPAA Disclosure Standards for Independent Medical Practices

September 22, 2023 Comments Off on HIPAA Disclosure Standards for Independent Medical Practices

September 22, 2023 Navigating the complexities of HIPAA (Health Insurance Portability and Accountability Act) is essential for independent medical practices. This federal law primarily protects the privacy of patients’ health information, specifically the Protected Health Information (PHI). The HIPAA Privacy Rule sets the foundation for PHI protection, stipulating when and how an independent medical practice can share this information without needing explicit consent from patients. Here’s a breakdown for clarity: 1. Treatment, Payment, and Healthcare Operations (TPO): For independent medical practitioners: 2. Consent-Based Disclosures: Individuals can grant written consent to share their PHI: 3. Public Interest and Benefit Activities: There are situations where PHI can be shared for the broader public interest: HIPAA Disclosure Scenarios for Independent Practices: Understanding these disclosure standards ensures that independent medical practices maintain their patients’ trust and compliance with federal regulations. Abyde: HIPAA and OSHA Compliance Software Abyde is a cloud-based software platform that helps healthcare organizations achieve and maintain compliance with HIPAA and OSHA regulations. Abyde provides a comprehensive suite of tools and resources to help organizations with risk assessments, policy and procedure development, employee training, and documentation. Abyde’s compliance software can help organizations: Abyde’s software is easy to use and can be customized to meet the specific needs of any healthcare organization. Abyde also offers a variety of support resources, including online training, webinars, and 24/7 customer support. How Abyde can help healthcare organizations with HIPAA disclosure Abyde’s HIPAA compliance software can help healthcare organizations with HIPAA disclosure by providing tools and resources to help them: Abyde’s software can also help healthcare organizations to: By using Abyde’s HIPAA compliance software, healthcare organizations can help ensure that all PHI disclosures comply with HIPAA regulations and that patient privacy is protected. Conclusion HIPAA is a complex law, but it is crucial to understand the basics of HIPAA privacy and disclosure rules. Understanding these rules can protect your PHI and help ensure your healthcare information is handled appropriately. How Abyde can help you comply with the three standards of HIPAA disclosure; Contact us today for a complimentary consultation by clicking HERE. Links to appropriate resources

How to Properly Dispose PHI
Best Practices, HIPAA

From Hoarding to HIPAA-Compliant: A Guide to Disposing of ePHI and Physical PHI

September 1, 2023 Comments Off on From Hoarding to HIPAA-Compliant: A Guide to Disposing of ePHI and Physical PHI

September 1, 2023 The TV show ‘Hoarders‘ showcases the struggles of individuals who have an extreme tendency to accumulate and hold on to items, sometimes to the point of causing harm or distress. In a medical practice, holding onto Protected Health Information (PHI) that is no longer needed may not only cause harm and distress but can also lead to severe legal penalties. The Health Insurance Portability and Accountability Act (HIPAA) mandates safeguarding PHI, including its proper disposal when no longer needed. This blog post will guide medical practices on how to dispose of electronic PHI (ePHI) and physical PHI in a HIPAA-compliant manner. Understanding ePHI and Physical PHI ePHI refers to any PHI that is created, received, maintained, or transmitted in electronic form. This includes information stored in electronic health records (EHR), electronic billing records, digital images, and any other electronic documents containing PHI. Physical PHI refers to any PHI that is in a physical form, such as paper records, printed images, and other tangible materials containing PHI. The Need for Proper Disposal Just as the individuals on ‘Hoarders’ need to declutter their living spaces to create a safer and healthier environment, medical practices need to dispose of ePHI and physical PHI that is no longer needed to create a safer and healthier environment for their patients’ information. Holding onto old and unnecessary PHI increases the risk of unauthorized access, identity theft, financial fraud, and reputational damage to the practice. HIPAA-Compliant Disposal Methods The HIPAA Privacy Rule requires covered entities to implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal. Additionally, the HIPAA Security Rule requires covered entities to implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored. ePHI Disposal Methods Physical PHI Disposal Methods Proper disposal of ePHI and physical PHI is a crucial responsibility of medical practices, as HIPAA mandates. Failure to properly dispose of PHI can lead to unauthorized access, severe legal penalties, and reputational damage. Just as the individuals on ‘Hoarders’ must learn to let go of items that are no longer needed, medical practices must learn to let go of ePHI and physical PHI that is no longer needed and to do so in a HIPAA-compliant manner. Utilizing Abyde’s comprehensive HIPAA and OSHA Compliance SAAS solutions can help medical practices navigate these complex requirements effortlessly. By implementing and following proper disposal procedures—often simplified and clarified through Abyde’s automated systems—medical practices can create a safer and healthier environment for their patients’ information.

How to Dispose PHI
Best Practices, HIPAA

So You Have PHI to Dispose of – Now What?

February 26, 2020 Comments Off on So You Have PHI to Dispose of – Now What?

February 26, 2020 The days of simply shredding paper records and files to dispose of Protected Health Information (PHI) are behind us as the use of technology continues to become more prevalent within the medical industry. Under the HIPAA Privacy Rule, practices are required to implement the proper administrative, technical, and physical safeguards when it comes to protecting patient privacy. This rule dictates that covered entities are responsible for implementing and maintaining these policies.  For many practices, disposing of electronic or regular PHI in the proper way may be daunting. Instead of always shredding a paper file, practices now have to follow recommended methods to dispose of data provided by the U.S. Department of Health and Human Services. These methods include: Without a simple checklist to follow, it is difficult to guarantee that the best measures are being taken to protect this secure data. In fact, covered entities and business associates have been hit with hefty fines for not disposing of PHI properly. RELATED: IS YOUR PRACTICE MEETING HIPAA DATA SECURITY REQUIREMENTS? DOWNLOAD OUR HIPAA CHECKLIST AND FIND OUT! In one well-publicized example, a shredding company left thousands of patient files unlocked and unguarded for anyone to take. The shredding company, as well as the covered entity whose files were left unsecured, were both hit with monetary settlements. Another incident of improper PHI handling left almost 10,000 individuals impacted. In this case, a pharmacy disposed of an electronic device used for customer signatures without properly wiping the device first. This exposed a vast amount of PHI including patient names and signatures along with prescription numbers and medication names.  Many of these incidents occur due to the lack of policies set in place by the practices for business associates and other outside parties handling patient data. Another case that led to monetary penalties totaling a whopping $140,000 resulted from a medical billing company disposing of 67,000 patient records in a public dumpster.  Unfortunately, improper disposal of PHI is the source of many data breaches and HIPAA violations. Implementing the correct policies for disposal of PHI is paramount, and each employee must be trained on proper PHI disposal to ensure that your practice is taking every step possible to keep protected health information secure. 

Looking to finish your SRA for MIPS by the Dec 31 deadline? We're here to help you get compliant in minutes.

SCHEDULE CONSULTATION
X