Thursday, July 28, 2016

Preparing for Phase 2 of HIPAA Audits

Phase 2 HIPAA audits are here. It’s no longer a matter of when.
The question is: Are you ready?
On March 21, 2016, the HHS Office for Civil Rights (OCR) launched the second phase of audits for compliance with HIPAA privacy, security and breach notification rules. And in his July 18, article, Second phase of HIPAA audits shifts into high gear, HDM’s Managing Editor Greg Slabodkin informed us that according to OCR, letters were delivered via email to “167 health plans, healthcare providers and clearinghouses” on July 11. Unlike the pilot audits that focused only on covered entities, Phase 2 targets both covered entities and their business associates.
While most of the Phase 2 audits will be desk audits, some onsite audits will be conducted. Phase 2 audits will focus on areas with high occurrences of noncompliance in Phase 1, particularly issues raised during data breach investigations. These include risk analysis and management, notice of privacy practices, timeliness of breach notification, reasonable safeguards, facility access control, and workforce training on policies and procedures.

To prepare for Phase 2 audits, covered entities and business associates should review their HIPAA privacy, security and breach notification policies and confirm that the following requirements are in place and current:

Comprehensive documented risk assessment. Promptly address any deficiencies and complete all action items. Build on the assessment outcomes to create a strong risk assessment management program. Conduct a follow-up security risk analysis periodically to identify, address and document deficiencies that may occur.

Written HIPAA policies and procedures. These should reflect privacy and security standards along with any risks or vulnerabilities identified during the assessment process.

Incident response plan for responding to breach of protected health information (PHI). Implement breach notification policies and procedures that are aligned with requirements under the HIPAA breach notification standards. Conduct practice rounds to prepare staff for a real event should it occur. 

Current Notice of Privacy Practices. Provide printed copies of the most recent notice to patients and also make the notice available on the organization’s website. 

Safeguards to protect all forms of PHI. This applies to paper, electronic and verbal PHI, including mobile devices and storage media. For employees who have personal devices, implement a BYOD policy aligned with HIPAA standards. Keep an up-to-date inventory of all systems and mobile devices.

Workforce training program. Conduct and document training for new employees. Conduct and document ongoing training for all workforce members.

Business associate agreements. Organizations must maintain a current inventory of all business associates. Agreements should be updated and implemented in compliance with current HIPAA requirements.

PHI transmission policy. Verify that all PHI is encrypted, or document a risk analysis to support the decision not to use encryption technology. 

Even if your organization is not selected for a Phase 2 audit, implementing judicious measures now will support future audits and improve HIPAA compliance. 

It doesn’t just end with an audit occurring within the four walls of a healthcare organization. With more healthcare professionals working from home, there is growing concern about the possibility of “at-home” audits - if not now, these may happen in the near future. We’re operating in a virtual world - building a remote workforce, and many HIM departments are sending people home - coders, transcriptionists, even management staff. 

Suppose OCR conducts an onsite audit at your facility and finds that some employees work from home. You must be prepared for the inevitable questions. How are you protecting information offsite? What measures are you taking to make sure PHI is secure? What policies and procedures are in place to address specific issues of at-home worksites? If you’re preparing for OCR audits - or any audits - these are increasingly important points to consider.

Business associates should also be taking a proactive approach in case auditors want to know how workers at home are being audited. Options might include Skype, Facetime or Hangouts. Here are some basic questions to ask employees when evaluating at-home privacy and security risks: 
  • Where are you located in your personal residence? 
  • Is your workspace private? 
  • Are passcodes properly concealed, not posted in the workspace? 
  • Do you use a virtual privacy network (VPN)? 
  • Do you have the capability to print information? 
  • Do you have appropriate shredding capability? 
  • Is your computer set to shut down (encryption mode) in your absence? 
These questions are just the beginning of the conversation. It is critical to communicate clear expectations to employees who work at home - along with consequences if they fail to maintain privacy and security according to your policies and procedures.

A company’s work-from-home policy defines the telecommuting work arrangement, including comprehensive privacy and security practices. The telecommuting employee must sign an agreement to ensure the protection of proprietary information and PHI, and to maintain the same level of confidentiality that exists on the company premises. If issues arise, there are several options depending on the severity of noncompliance - corrective action, education and training, increased audits, return to in-house, or termination of employment.

Although current OCR requirements do not specifically require at-home audits, the regulations clearly state that all reasonable precautions must be taken to ensure that all information is secure and privacy is maintained.

The best way to mitigate regulation issues is to have a solid HIPAA program in place and be well prepared to demonstrate best practices that proactively identify and address risks to PHI.

HIM must work closely with IT and other departments - risk management, C-suite, compliance, training and HR - to properly prepare for audits. HIM directors and their staff understand the content and use of PHI, where it is most likely to be at risk, and how to protect it. As experts in HIPAA and information governance practices, HIM professionals and Compliance Support Partners can lead organizations through a successful audit.

Also See: OCR's Top 7 Areas of Focus During Phase Two Audits

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Tuesday, July 26, 2016

OCR's Top 7 Areas of Focus During Phase Two Audits

Areas of improvement to focus on within your office.

During phase 2 of the Office for Civil Rights (OCR) HIPAA audits, they have decided to focus their attention on seven areas of compliance. These specific areas were chosen due to their history of non-compliance during multiple audits in the past. This is not to say that OCR will not investigate other areas, but their main focus will be on these specific requirements:

  • Under the HIPAA Privacy Rule
    • Notice of Privacy Practice and consent requirements
    • Provision of notice - electronic notice (NPP acknowledgement in electronic format)
    • Right to access (Patients right to access their PHI)
  • Under the HIPAA Security Rule
    • Security management process - risk analysis (Documented and completed internal risk analysis)
    • Security management process - risk management (Documented policies and procedures that prevent, detect, contain, and correct security violations)
  • Under the Breach Notification Rule
    • Timeliness of notification (Notification of breach given to individual and OCR within required specifications)
    • Content of notification (Notification of breach contains all of the required information as specified by OCR)
These are important areas of compliance that have been neglected or out right ignored by healthcare organizations. If you have not done so, get these areas of compliance in order within your organization.

For information on how to prepare for OCR's Phase 2 HIPAA audits go to:

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, July 20, 2016

Patient Authorization For Disclosure Of PHI

Required Elements Of A Patient Authorization

HIPAA requires that certain elements be present on the authorization that the patient is to sign.  Whenever you receive an authorization (or “release”) asking you to disclose PHI and HIPAA requires an authorization for the disclosure, use this checklist to verify that the authorization meets the HIPAA requirements. If any ONE of the following elements is missing, you should NOT release the patient’s PHI until you have a valid authorization signed by the patient. If ALL the elements are present, the authorization is valid. 

•    A description of the PHI to be used or disclosed that identifies it in a specific and meaningful fashion.  They may request the entire medical record, all records between specific dates, or other specific items. 

•    The name or other specific identification of the person(s), or class of persons, who can make the requested use or disclosure.  For example, the signed request should list either your organization or someone in your organization by name.

•    The person(s), or class of persons, to whom you may make the requested disclosure.  The specific entity(ies) to receive the information should be identified.  A cover sheet stating who should receive the information is NOT sufficient.

•    A description of each purpose of the requested use or disclosure.  The statement “at the request of the individual” is a sufficient description of the purpose when a patient initiates the authorization and does not, or elects not to, provide a statement of the purpose. The above statement or some other description must be present.

•    An expiration date or an expiration event that is related to the individual or the purpose of the use and disclosure.  The statement “end of research study”, “none”, or similar language is sufficient if the authorization is for a use or disclosure of PHI for research.  Again, the statement must be present.

•   Signature of the patient and date.  If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

•    The individual’ s right to revoke the authorization in writing, any exceptions to that right, and a description of how the individual may revoke the authorization.

•    The ability or inability to condition treatment on the authorization by stating either:  (A) The covered entity may not condition treatment on whether the individual signs the authorization or (B) The consequences to the individual for refusal to sign the authorization.  (Remember that there are very limited circumstances in which action can be a condition on a patient signing an authorization.)

•    A statement that informs of the potential for information to be re-disclosed by the person or organization to which it is sent.  The privacy of this information may not be protected under the Federal Privacy Rule depending on whom the information is disclosed to.

•    If the requested use or disclosure is for marketing purposes.  If the marketing involves direct or indirect remuneration to the covered entity from a third party, the authorization must state such remuneration.

--For more healthcare compliance information and discussion please join the LinkedIn group forum: The Healthcare Compliance Solutions Administrative Alert

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Thursday, July 14, 2016

5 Pioneering Changes to Healthcare Compliance Support

Excessive weight of compliance regulations has necessitated the need for more guided compliance support

Dr. Paul was just wrapping-up the recent OSHA audit. He was very frustrated as he was found to be in violation of more than a dozen OSHA regulations. Following the completion of his OSHA audit, he called the company he had entrusted with his compliance, Healthcare Compliance Solutions, Inc. (HCSI). After some discussion between Dr. Paul and the representative at HCSI, it was discovered that after Dr. Paul had purchased the HCSI Compliance Program, he did not fully incorporate the program into his seven locations that he was trying to support with the single compliance officer. Dr. Paul and HCSI worked together to ensure that the next audit, OSHA or HIPAA, would have a much different and positive result.

The case study described above really happened. It was this very situation that made it clear to everybody at HCSI that something different needed to be done in compliance support. Major changes were needed to the compliance industry and HCSI has taken it upon themselves to be the pioneer in the reformation process of healthcare compliance support.

Below is the list of the areas identified where changes are necessary:

  • Training - It was previously thought that all an office needed was to train their employees once a year (if that) on compliance regulations while having a pizza party. Once the information was distributed, the employees would go about their days, having learned very little about the organization's procedures or the compliance regulations, and putting the organization at risk of a breach.
  • Policies and Procedures - This is an issue that has proved to be very costly. The federal regulations require effective and written policies and procedures . For too many years this requirement has been taken lightly. Ineffective or incomplete manuals have become a plague on the healthcare industry. Many organizations simply say, "I have bought a manual, so I am compliant".
  • Updating - The federal government requires every compliance program to be continuously updated. This necessitates the need to constant monitoring, adjusting, and retraining of compliance issues. This is either being done halfheartedly, in disarray, or in most cases, not at all.
  • Support - Most organizations only call their compliance support company when they hit the panic button. As we learned in the case study at the beginning of this article, that is simply reactive when the goal with compliance is to be proactive.
The four points listed above are examples of how compliance is currently being supported in the healthcare industry. They are out-of-date and are simply ineffective in giving the healthcare industry the support it needs in order to comply with the federal regulations.

As previously stated, HCSI has taken it upon themselves to be the pioneer in the reformation process of healthcare compliance support. HCSI has recognized that in order to truly protect yourself from compliance liability and effectively adhere to the regulations, it is vital that a cultural change occur within the organization. By establishing a culture of compliance, any healthcare organization will be able to feel assured about their compliance adherence. In order to help healthcare organizations create a culture of compliance, here are the changes HCSI has made to compliance support in the healthcare industry:
  • Training - Created effective online training where each employee is held accountable for their own training. Each administrator has control over adding, deleting, and monitoring their employees. At the end of each training module, a certificate of completion is printed as proof of employee compliance education.
  • Policies and Procedures - Written policies and procedures that are effective in supporting the office are required. HCSI's Audit Manual contains required policies and procedures that the federal government agencies are looking for. In addition, HCSI has created an extensive Compliance Reference Guide that gives further support and understanding for Compliance Officers.
  • Updating - The federal government calls compliance a "continuous journey" and it is this "journey" that they are looking for during an audit. For this reason, weekly, monthly, and quarterly updates are mailed out to each HCSI client. These quarterly updates are reviewed and initialed by each employee as an ongoing training initiative. These updates keep your employees and compliance staff up-to-date with current compliance information and are an important part of the "continuous journey" of compliance.
  • Support - The excessive weight of compliance regulations are taking a toll on the healthcare industry. HCSI has recognized this issue and has addressed it. In order to help ease the weight of compliance, Utilizing Client Relationship Specialists (CRS), HCSI supports its clients in ways that are unique in the healthcare industry. Every new HCSI client receives a phone call on a quarterly basis. HCSI understands that this first year is critical in creating a culture of compliance within the organization. These quarterly calls are intended to support the administrators and ease their burden. After the first year, HCSI will reach-out to each of their clients multiple times throughout the year. Had this new process been in place previously, it would have helped prevent the OSHA violations Dr. Paul experienced in the case study. In addition to the proactive approach to support, HCSI talks with thousands of healthcare professionals who reach out to HCSI's CRS' for answers to their compliance questions. Nobody likes feeling as though they are in the dark. With effective compliance support, no healthcare professional has to feel that way.
  • Additional Resources - In addition to training, policies, updating, and support, HCSI recognized one missing element of support that has been previously missing within the healthcare industry. Customizable forms, resource updates, informational blog, Facebook community, and a Linkedin group, are all additional ways the healthcare industry is able to receive, well over due, comprehensive compliance support.
As Dr. Paul learned in the case study, healthcare organizations are no longer able to simply buy a manual or do the bare minimum. Healthcare compliance support, as it stands now, is no longer a viable option as it is grossly ineffective in protecting the healthcare organization from liability, from protecting patient's information, and protecting the healthcare employees themselves.

HCSI is pioneering a new compliance support program that is revolutionizing how healthcare organizations are meeting the federal compliance regulations. To begin incorporating a culture of compliance within your healthcare organization, look to HCSI's Compliance Program.

To subscribe to this blog, enter your email address:

Delivered by FeedBurner

Wednesday, July 13, 2016

Five Areas that Require Bio-hazard Labeling


The Bloodborne Pathogens Standard outlines the regulations for bio-hazard labeling and color-coding. Three signals can alert you to the presence of a bio-hazard or bio-hazardous waste: the word “bio-hazard”, the bio-hazard symbol, or the fluorescent orange or orange-red color-coding.

These five areas are ones to watch for bio-hazard labeling in your facility:

1. Regulated medical waste containers and other containers (according to OSHA) that warning labels must be affixed to:
  • Containers of regulated waste,
  • Refrigerators and freezers containing blood or other potentially infectious material; and
  • Other containers used to store, transport or ship blood or other potentially infectious materials.
  • Containers of blood, blood components, or blood products that are labeled and have been released for transfusion,
  • Individual containers of blood or other potentially infectious materials that are placed in a labeled container during storage, transport, shipment or disposal, or
  • Regulated waste that has been decontaminated.

2. Sharps Containers

Sharps containers must also be labeled or color-coded in accordance with the requirements of the Bloodborne Pathogens Standard.

3. Contaminated Laundry

The Bloodborne Pathogens Standard also requires contaminated laundry to be placed and transported in labeled or color-coded bags. When a facility utilizes Universal Precautions in the handling of all soiled laundry, alternative labeling or color-coding is sufficient if it permits all employees to recognize the containers as requiring compliance with Universal Precautions.
When a facility ships contaminated laundry off-site to a second facility which does not utilize Universal Precautions in the handling of all laundry, the facility generating the contaminated laundry must place such laundry in labeled or color-coded bags or containers.

4. Specimens

Specimens of blood or other potentially infectious materials must be placed in a container which prevents leakage during collection, handling, processing, storage, transport, or shipping. The container for storage, transport, or shipping must be labeled or color-coded and closed prior to being stored, transported, or shipped.

5. Equipment

Equipment that may become contaminated with blood or other potentially infectious materials shall be examined prior to servicing or shipping and shall be decontaminated as necessary, unless the employer can demonstrate that decontamination of such equipment or portions of such equipment is not feasible, according to OSHA. A readily observable bio-hazard label shall be attached to the equipment stating which portions remain contaminated.
Ensure that you have bio-hazard labeling or color-coding, as necessary, in these five areas and in other areas of your facility that fall under the guidelines of OSHA’s Bloodborne Pathogens Standard 1910.1030.  In practice, most facilities typically use BOTH bio-hazard labeling AND color-coding in most cases.

For more information please join the LinkedIn group: The Healthcare Compliance Solutions Administrative Alert

To subscribe to this blog, enter your email address:

Delivered by FeedBurner