March 1, 2024 Handling the complexities of HIPAA regulations can feel like walking a tightrope for healthcare providers. Every interaction with Protected Health Information (PHI) – from creation to disposal – carries potential risk. Fortunately, they’re not alone. Shredding companies, step into the crucial role of Business Associates (BAs), becoming vital partners in ensuring HIPAA compliance. When Disposal Companies Wear the BA Hat: Not all disposal companies fall under the BA umbrella. The key factor hinges on access and interaction with PHI. If a company directly receives, handles, or disposes of PHI on behalf of a covered entity like a hospital or clinic, they automatically become BAs. This means they’re bound to HIPAA legislation, becoming directly liable for the protection of patients’ data. Why Shredding BAs are Essential for HIPAA Compliance: Beyond just disposing of paper, disposal BAs bring critical expertise to the table: Paper-Thin Excuses: The Consequences of Improper Disposal The consequences of improper disposal of PHI can be severe. For instance, the New England Dermatology and Laser Center was fined over $300,000 due to improper disposal of PHI, and having health information in a garbage bin in their parking lot. Data security isn’t a solo act. Recognizing disposal BAs as active partners in the HIPAA compliance journey strengthens the entire healthcare ecosystem. By choosing trusted BAs and fostering open communication, covered entities can leverage their expertise and navigate the ever-evolving regulatory landscape with greater confidence. For Business Associates, being compliant is beyond good business practices, it’s upholding your commitment to patients’ data. Abyde’s newest software, HIPAA for Business Associates is here to simplify compliance for your organization. Abyde’s software includes training, security risk analysis, a BA and CE portal, and many more resources to assist your organization. To learn more about compliance for your organization, email info@abyde.com and schedule a demo today here.
How Kaiser Foundation Rolled Up Its Sleeves to Clean Up Its Waste Game After a $49 Million Settlement
September 12, 2023 Hey there, eco-warriors and healthcare aficionados! Buckle up because we have some intriguing news on the healthcare front that could give you both a sigh of relief and a chuckle. You know the Kaiser Foundation, right? The healthcare giant that’s practically the Beyoncé of California healthcare? Well, they recently found themselves in a bit of a trashy situation. But don’t worry, they’re taking out the trash—literally. What Went Down? Imagine a group of undercover agents not from a blockbuster film but from district attorneys’ offices in counties like San Francisco, San Mateo, and others. Their mission? Inspecting dumpsters at 16 different Kaiser facilities, which, get this, wasn’t even locked. Spoiler alert: The bins weren’t filled with outdated fashion magazines or pizza boxes; they were packed with hazardous and medical waste. We’re talking needles, batteries, and even patient records! Yup, patient records are in the trash. Not good nor compliant! The Rule Book So, some of you might be scratching your heads and thinking, “Wait, isn’t there a rule against this sort of thing?” And, oh boy, are you right! We’ve got the big acronym HIPAA (Health Insurance Portability and Accountability Act) and a handful of Californian laws like the Hazardous Waste Control Law and the Medical Waste Management Act saying, “Nah, that ain’t right!” How Kaiser is Cleaning Up Its Act Kaiser wasn’t like, “Eh, no big deal.” No, siree! They brought in third-party pros to audit over a thousand of their trash piles—now that’s some severe garbage dedication. They’ve also fine-tuned their waste disposal routines faster than you can say “recycle.” And the price for this waste fiasco? Kaiser agreed to a $49 million settlement, with a chunk of it ($37.5 million) going toward civil penalties. They also have to hire an independent auditor for future trash checks. The auditor will ensure that hazardous items and patient info aren’t having dumpster parties together. Attorney General’s Two Cents Rob Bonta, the Attorney General, chimed in to say, “The illegal disposal of hazardous and medical waste is a no-go. Kaiser, as a healthcare provider, should know better.” But he also quickly acknowledged that Kaiser didn’t just shove its head in the sand. They’ve been cooperating to get their waste management back on track. So, what’s the lesson here, folks? Maybe it’s that even giants like Kaiser can trip up, but it’s never too late to get your act together—whether it’s your personal life or your dumpsters. Because, let’s face it, nobody wants their confidential medical history ending up in a landfill next to last week’s tuna casserole. 🗑️✅ Don’t Let Compliance Be Your Blind Spot—Abyde Has Your Back! Navigating the maze of healthcare compliance can be like playing a never-ending game of Whac-A-Mole—just when you think you’ve tackled one issue, another one pops up. And let’s be honest; nobody wants to be the next headline for not properly securing their hazardous waste or protecting patient information. That’s where we come in! 🌟 Abyde specializes in HIPAA and OSHA Compliance solutions. We understand the nitty-gritty details that can keep healthcare administrators up at night, so you don’t have to. With our cutting-edge SAAS solutions, you can rest easy knowing you’re in full compliance with not just federal laws but also state-specific regulations. Our comprehensive audits and easy-to-implement changes can help you avoid dumpster dives and sticky situations like the one Kaiser found itself in. We’re more than just a service; we’re a partner who takes your compliance seriously so you can focus on what really matters—providing exceptional healthcare. So, if you’re looking for a superhero in the complex world of healthcare compliance, look no further. Abyde is the sidekick you didn’t know you needed but won’t be able to live without. Till then, keep your dumpsters clean and your patient records cleaner! 🌱🗂️✨
From Hoarding to HIPAA-Compliant: A Guide to Disposing of ePHI and Physical PHI
September 1, 2023 The TV show ‘Hoarders‘ showcases the struggles of individuals who have an extreme tendency to accumulate and hold on to items, sometimes to the point of causing harm or distress. In a medical practice, holding onto Protected Health Information (PHI) that is no longer needed may not only cause harm and distress but can also lead to severe legal penalties. The Health Insurance Portability and Accountability Act (HIPAA) mandates safeguarding PHI, including its proper disposal when no longer needed. This blog post will guide medical practices on how to dispose of electronic PHI (ePHI) and physical PHI in a HIPAA-compliant manner. Understanding ePHI and Physical PHI ePHI refers to any PHI that is created, received, maintained, or transmitted in electronic form. This includes information stored in electronic health records (EHR), electronic billing records, digital images, and any other electronic documents containing PHI. Physical PHI refers to any PHI that is in a physical form, such as paper records, printed images, and other tangible materials containing PHI. The Need for Proper Disposal Just as the individuals on ‘Hoarders’ need to declutter their living spaces to create a safer and healthier environment, medical practices need to dispose of ePHI and physical PHI that is no longer needed to create a safer and healthier environment for their patients’ information. Holding onto old and unnecessary PHI increases the risk of unauthorized access, identity theft, financial fraud, and reputational damage to the practice. HIPAA-Compliant Disposal Methods The HIPAA Privacy Rule requires covered entities to implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including in connection with its disposal. Additionally, the HIPAA Security Rule requires covered entities to implement policies and procedures to address the final disposition of ePHI and the hardware or electronic media on which it is stored. ePHI Disposal Methods Physical PHI Disposal Methods Proper disposal of ePHI and physical PHI is a crucial responsibility of medical practices, as HIPAA mandates. Failure to properly dispose of PHI can lead to unauthorized access, severe legal penalties, and reputational damage. Just as the individuals on ‘Hoarders’ must learn to let go of items that are no longer needed, medical practices must learn to let go of ePHI and physical PHI that is no longer needed and to do so in a HIPAA-compliant manner. Utilizing Abyde’s comprehensive HIPAA and OSHA Compliance SAAS solutions can help medical practices navigate these complex requirements effortlessly. By implementing and following proper disposal procedures—often simplified and clarified through Abyde’s automated systems—medical practices can create a safer and healthier environment for their patients’ information.
OCR Settles Case Concerning Improper Disposal of Protected Health Information
August 24, 2022 When it’s time to clean out and organize that ole garage, you probably want to take time to make sure all your sensitive and sentimental items – files, photographs, etc. – are in the right spot before taking them to the dump. It should be no different when it comes to disposing of old devices or hard drives at the office that contain sensitive ePHI, yet practices continue to fail. In recent news, the OCR announced a settlement for a dermatology practice located in Massachusetts that failed to properly dispose of protected health information. As a result, the dermatology practice agreed to pay the hefty fine of $300,640 to the OCR and implement a Corrective Action Plan to resolve the investigation. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling – so that the information cannot be read by the wrong parties. Despite this being common practice, the Massachusetts dermatology practice had PHI that was exposed. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. It is critical that your practice understands how and where to dispose of PHI. But what exactly constitutes proper digital data disposal? Disposing of your PHI is not as simple as clicking the delete or trash button. If you do not completely delete these files from your devices, they can be recovered using high-tech software. The following are some thorough methods for properly disposing of PHI: There are lots of devices that could have been used to store PHI even though you would never realize they do. These devices include: Before you burn those electronic devices in a campfire, remember that HIPAA requires practices to keep PHI for at least 6 years, and maybe longer depending on your state. Devices containing data that is older than six years should be backed up before being wiped clean, and data should be encrypted while being kept. At the end of the day, whether it is boxes of important documents in your garage at home or PHI at your very own practice, it is critical to dispose of it properly and safely.
Disposing of PHI: Why, What and How
August 27, 2020 When it’s time to upgrade to that new wallet or purse you’ve been wanting, you probably take out all your sensitive information – credit cards, license, etc. – before tossing out the old one (we hope so at least). It should be no different when it comes to disposing of old devices or hard drives that contained sensitive ePHI, yet practices continue to miss the mark. It may be obvious that paper records require proper disposal – in most cases, shredding or recycling so that the information cannot be read by the wrong parties. Despite this being common knowledge, incidents continue to arise – such as the recent batch of medical records found unattended at an Odessa recycling center in Texas. Because the records weren’t shredded, their sensitive data was made easily accessible. Improper disposal is even more common when it comes to disposing of electronic protected health information (ePHI) properly. What data needs to be properly disposed of? Anything that does or could have once stored PHI – some you may not even realize – should be properly disposed of to wipe any traces of patient information. This includes: Many devices unknowingly have stored patient information – in emails or text messages, documents accessed on your device web browser, pictures or screenshots, medical images, voicemails, or applications that stored PHI during use. Devices may contain their own storage drives, especially if IoT enabled (connected to your WiFi or internal network). RELATED: So You Have PHI to Dispose of – Now What? What is considered proper digital data disposal? Unfortunately, clicking the ‘delete’ button does not completely remove digital data. Even if you overwrite files, they can still be recovered using software tools. The following are a few ways you can ensure your devices are disposed of properly: Now before you grab those hammers and start smashing up your Windows 7 PC, HIPAA law requires practices to store PHI for at least 6 years and potentially more depending on your state. Devices with data that falls within that 6 year timeframe should be backed up before they are wiped clean, and data should then be encrypted while being stored. Regardless of whether the data is on paper or disk, or the destruction method you choose, it’s imperative to properly dispose of PHI – and make sure nothing retrievable ends up in the wrong hands.