HHS Launches New Video Training Module for HIPAA Patient Right to Access

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it has a new video training module for health care providers.

According to HHS, the new training module provides an “in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care.” The training module provides helpful suggestions about how health care providers can integrate aspects of the HIPAA access right into medical practice. This activity is intended for primary care physicians, obstetricians and gynecologists, pediatricians, and nurses.

The goal of this activity is to review components of the Health Insurance Portability and Accountability Act (HIPAA) right of access and ways in which it enables individuals to be more involved in their own care.

Upon completion of this activity, participants will have increased knowledge regarding:

• The components of the HIPAA access right, including an individual's ability to direct a copy of their health information to a third party, including a researcher 
• How the HIPAA right of access enables individuals to become more involved in their care

Information about training materials can be found on the HHS website here: https://www.hhs.gov/hipaa/for-professionals/training/index.html.

The video module can be found here: http://www.medscape.org/viewarticle/876110.

The module contains a video (approximately 37 minutes) titled “An Individuals’ Right to Access and Obtain Their Health Information Under HIPAA” and features Devan McGraw, the Deputy Director for Health Information Privacy at the US Department of Health and Humans Services. The video talks about why privacy protections are important, but mainly focuses on the patient’s right of access, including:

• what fees that can be charged
• whether records may be sent unsecured at the patient’s request
• how quickly the records need to be provided to the patient upon request
• which records can be excluded from a patient’s right to access
• an individual’s ability to have a copy of his/her health information sent directly to a third party.

Upon completion of this activity, participants will receive free Continuing Medical Education (CME) credit for physicians and Continuing Education (CE) credit for health care professionals. In order to receive credit, it is required to have a Medscape user ID and password, which is free to sign up. There are no fees for participating in or receiving credit for this CME.

Additional Training Materials and Resources

Helping Entities Implement Privacy and Security Protections

The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities. 

HealthIT.gov’s Guide to Privacy and Security of Electronic Health Information provides a beginners overview of what the HIPAA Rules require, and the page has links to security training games, risk assessment tools, and other aids.

Patient Privacy: A Guide for Providers (login required), is an educational program for health care providers on compliance with various aspects of the HIPAA Privacy and Security Rules. Physicians can earn free Continuing Medical Education (CME) credits and health care professionals will receive Continuing Education (CE) credits.

State Attorneys General Training materials provide a more comprehensive overview of HIPAA compliance:

Video & Slides from 2011 State Attorneys General Training (link to non-government website)

Computer-Based State Attorneys General Training Modules (download zip file)

Want to learn more about the HIPAA Privacy & Security Rules? Sign Up for the OCR Privacy & Security Listserv

OCR has established two listservs to inform the public about health information privacy and security FAQs, guidance, and technical assistance materials. We encourage you to sign up and stay informed!

For additional information about HIPAA Privacy and HIPAA Security training for your self and your staff, please contact Healthcare Compliance Solutions Inc. (HCSI). (801)-947-0183

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Hold Your Business Associates Feet To The Fire

Documented HIPAA compliance training is NOT an option for your Business Associates!

With the focus of the Office for Civil Rights (OCR) so squarely on the Business Associates of Covered Entities, it is more important than ever to hold your Business Associates feet to the fire when it comes to providing proof of their HIPAA training.

It is strongly recommended that Covered Entities require {45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)} all of their Business Associates to provide them with documented proof of their HIPAA compliance training. This documentation could come in the form of individual employee training certificates or (if the Business Associate does not have training certifications) a signed addendum along with your Business Associate Agreement (BAA) attesting to the fact that the Business Associate's HIPAA training program was completed and will continue to be on an annual basis to maintain a standard for ongoing compliance training and awareness of evolving standards.

Far too often, I have talked with Covered Entities who's Business Associates verbally claimed that all of their employees were HIPAA trained, but could not provided documented proof. Simply saying, "Yah sure, we do HIPAA training..." is not enough proof for OCR. It is vital that Covered Entities are able to provide documentation of their Business Associates claim that they have completed their HIPAA training. If a Covered Entity is working with a Business Associate who either does not have documented proof of their HIPAA training program or refuses to supply the Covered Entity with such documentation, then that Covered Entity has two options:

1. Recommend a BA HIPAA Compliance Training Program to their Business Associate;
2. Begin exploring the option of no longer doing business with that particular Business Associate

Remember a BAA is a binding legal Contract and should be treated accordingly. Having Business Associates provide documented proof of a HIPAA training program will greatly assist in helping to limit additional liabilities for a Covered Entity and their patients.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Policies and Procedures, Compliance Training and HR

Maintaining Compliance and also Keeping HR in the Loop

In your ongoing efforts to provide an office culture of compliance, it is important to remember that HIPAA requires covered entities to establish and implement written policies and procedures that are consistent with its Privacy and Security Rules.  It can also be important for your Human Resource officer(s) to be involved with HIPAA compliance related issues in the business.

The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program.  The Program will focus on the policies and procedures adopted and employed by covered entities and their business associates to meet the requirements of the Privacy, Security, and Breach Notification Rules.  Furthermore, if a group health plan is selected for an audit, it would have a very short time to produce its policies and procedures (i.e., 10 business days).  If the group health plan does not comply (for example, because it does not have policies and procedures), the OCR will likely impose corrective measures which could include costly civil monetary penalties.

HIPAA policies and procedures have important functions, including but not limited to:

• Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
• Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
• Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
• Ensuring that e-PHI is not improperly altered or destroyed.

However, it is not sufficient for a covered entity to merely adopt its HIPAA policies and procedures.  The health practice office must also:

• Designate a privacy and security official to develop and implement policies and procedures; 
• Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
• Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
• Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

There is no template for HIPAA policies and procedures.  Instead employers have the flexibility to design policies and procedures that are appropriate for their size, organizational structure, and risks to PHI and e-PHI.  Furthermore, as employers evolve, so should their policies and procedures.  For example, if an employer adopts a telework policy, it may wish to review whether its policies and procedures appropriately address issues involving remote access.

Summarizing, although not a new requirement, due to new technologies, evolving business and regulatory practices, along with impending HHS audits, employers may want to review their HIPAA policies and procedures to make sure that they are compliant and up-to-date. Many HIPAA policies inherently overlap with Human Resource's duties: training, disciplinary actions and employee health information for examples.

The increase in audits — combined with everything from changes in technology, the addition of a health and wellness program and concerns about hacking — serve as a good reminder why employers should revisit HIPAA training often and collaborate with HR to ensure compliance.

Many of the employers facing fines are healthcare providers, health plans or healthcare clearinghouses (organizations considered as covered entities under HIPAA). But most HR professionals also handle protected health information (PHI) to some extent, which puts them in danger of violating the HIPAA Privacy Rule.

Employers should have a written policy in place about how they handle PHI and designate PHI handlers and a HIPAA privacy officer. The policy should outline what types of information are considered PHI and how employers may and may not use it. It should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are being violated.

Employees who may handle PHI should be trained on the dos and don’ts of handling protected health information, especially as it relates to electronic information. It’s vital for the HR team to understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. And when discussing matters containing PHI with an employee, it’s important to have a signed HIPAA authorization form for the release of employee health information.

Lastly, the HIPAA privacy officer should review compliance documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers vendors and subcontractors to be business associates if they handle PHI on behalf of the covered entity.

Source(s): http://www.hhs.com, http://www.jdsupra.com, https://www.benefitnews.com, http://www.hcsiinc.com

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

OCR Updates HIPAA Guidance on Sharing Information with Patients’ Loved Ones, Family and Friends

Clarification For Sharing Patient Information

A January 10, 2017 Issuance from Heath and Human Services' (HHS) Office if Civil Rights (OCR) updating new privacy guidance is aimed at clarifying that the HIPAA Privacy Rule does permit disclosures of health information to a patient's loved ones regardless of whether they are recognized as relatives under applicable law. This guidance for healthcare professionals is to help clear up confusion about allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones.

The majority of healthcare professionals are aware that the HIPAA Privacy Rule permits them, within the exercise of their own professional judgement, to share the protected health information of a patient with a relative or loved one or if it is in the patient's best interest. However, the 2016 Orlando nightclub shooting incident revealed that many healthcare professionals are unsure about how the HIPAA Privacy Rule – 45 CFR164.510(b) – applies to same sex couples.

OCR has confirmed that the Privacy Rule permits a covered entity to “share PHI with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care.” OCR has also confirmed that covered entities are allowed to disclose relevant information “to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death.”

The recipient can be a “patient’s family member, relative, guardian, caregiver, friend, spouse, or partner,” but also any other individual that is a nominated personal representative of the patient. A personal representative of a patient must, as far as the Privacy Rule is concerned, be treated as the individual for purposes such as exercising the patient’s Privacy Rule rights, including providing access to their health information. There are limited exceptions, which are detailed in 45 CFR164.502(g).

OCR has confirmed that covered entities are permitted to share a patient’s PHI with same-sex partners, and explains that the list of potential recipients of PHI is in no way affected by an individual patient’s sex or gender identity, and neither by the sex or gender of the potential recipient.

OCR also sought to confirm who can be classed as a personal representative of the patient, saying “the Privacy Rule generally looks to state laws governing which persons have authority to act on behalf of an individual in making decisions related to health care.”

For example, if a state grants legally married spouses health care decision making authority for each other, a covered entity would be in violation of the Privacy Rule if access to the patient’s information was not granted if requested by a spouse, regardless of the sex of that individual.

While the covered entity should seek permission from the patient concerned prior to sharing information, in cases when the patient is incapacitated or not available, covered entities should use their professional judgement if the sharing of information is in the patient’s best interest. Should a patient be deceased, information can be shared with a person who has been involved in the patient’s care or who has made payment for medical services prior to the patient’s death.

The new OCR privacy rule guidance, issued in a frequently asked questions format, was developed in large part to address confusion following the 2016 Orlando nightclub shooting about whether and when hospitals may share protected health information with patients' loved ones, OCR says in a statement. "In particular, the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions ... are not limited by the sex or gender identity of the person," OCR says.

On that same topic, OCR also issued updated guidance "that makes clear that the terms 'marriage, spouse and family member' include, respectively, all lawful marriages - whether same-sex or opposite-sex) - lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule."

Heathcare Compliance Solutions Inc. recommends consulting with your practice or organization's attorney and/or your state medical association/board to verify your state's legislation regarding the definitions and legal ramifications of terms relating to this regulation such as: "Personal Representative", "Lawful Marriage", "Family Member", etc..

Source(s): HCSI, http://www.hipaajournal.com/, http://www.healthcareinfosecurity.com/, https://www.hhs.gov, https://www.law.cornell.edu 

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Do You Know Who Your Employees Are?

This new monthly cyber awareness alert from the Department of Health and Human Services’ Office for Civil Rights (OCR) prods organizations to closely evaluate the risks their employees pose.

Insider threat is becoming one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to a Covered Entity and Business Associate and have a negative impact on the confidentiality, integrity, and availability of its ePHI. According to a survey recently conducted by Accenture and HfS Research, 69% of organization representatives surveyed had experienced an insider attempt or success at data theft or corruption. Further, it was reported by a Covered Entity that one of their employees had unauthorized access to 5,400 patient’s ePHI for almost 4 years.

US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria:

• has or had authorized access to an organization’s network, system, or data;
• has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information; or information systems.

According to a survey conducted by U.S. Secret Service, CERT Insider Threat Center, CSO Magazine, and Deloitte, the most common e-crimes committed by insiders are:

• unauthorized access to or use of organization information;
• exposure of private or sensitive data;
• installation of viruses, worms, or other malicious code;
• theft of intellectual property.

Covered Entities and Business Associates should consider:

• Developing policies and procedures to mitigate the possibility of theft of ePHI, sabotage of systems or devices containing ePHI, and fraud involving ePHI. These policies and procedures should enforce separation of duties and least privileges, while also applying rules that control and manage access, configuration changes, and authentication to information systems and applications that create, receive, maintain, or transmit ePHI.

• Conducting screening processes on potential employees to determine if they are trustworthy and appropriate for the role for which they are being considered. Effective screening processes can be applied to allow for a range of implementations, from minimal to more stringent procedures based on the risk analysis performed by the entity and role of the potential employee. Examples of potential screening processes could include checks of the HHS OIG LEIE (List of Excluded Individuals and Entities) to check for health care fraud and related issues and criminal history checks to verify past criminal acts. When implementing a screening process, please be sure to review and comply with any applicable federal, state or local laws regarding the use of screening processes as part of the hiring process.

• Following US CERT steps to protect ePHI from insider threats: 

1. Consider threats from insiders and business associates in enterprise-wide risk assessments.

2. Clearly document and consistently enforce policies and controls.

3. Incorporate insider threat awareness into periodic security training for all employees.

4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.

5. Anticipate and manage negative issues in the work environment.

6. Know your assets.

7. Implement strict password and account management policies and practices.

8. Enforce separation of duties and least privilege.

9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

10. Institute stringent access controls and monitoring policies on privileged users.

11. Institutionalize system change controls.

12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.

13. Monitor and control remote access from all end points, including mobile devices.

14. Develop a comprehensive employee termination procedure.

15. Implement secure backup and recovery processes.

16. Develop a formalized insider threat program.

17. Establish a baseline of normal network device behavior.

18. Be especially vigilant regarding social media.

19. Close the doors to unauthorized data exfiltration.

Source(s): US-CERT, http://www.hhs.gov/ocr/, HCSI 

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Compliance Essentials: Training

Training is one of the essential cornerstones of any effective compliance program.

Training is an investment for any organization. That investment pays great dividends in the form of liability protection when it comes to compliance. However, with that being said, some organizations are still hesitant to train their employees or outright refuse to make this very important investment.

When it comes to Federal and State compliance, the decision to train employees has been taken out of the hands of the organizations. For example, with HIPAA compliance, the Office for Civil Rights (OCR), states:

"§164.530(b)(1) Standard: Training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity."

In the event of a HIPAA audit, the auditor will ask him or herself a discovery question:

"Does the covered entity train its work force and have a policies and procedures to ensure all members of the workforce receive necessary and appropriate training in a timely manner as provided for by the established performance criterion?"

In addition, the auditor will take the following action:

"Obtain and review such policies and procedures. Areas to review include training each new member of the workforce within a reasonable period of time and each member whose functions are affected by a material change in policies or procedures. From the population of new hires within the audit period, obtain and review a sample of documentation of necessary and appropriate training on the HIPAA Privacy Rule that has been provided and completed."

And finally, the auditor will:

"Obtain and review documentation that workforce members have been trained on material changes to policies and procedures required by the HITECH Act."

What is the above patter of the auditor?

1. As a mater of policy, require that all employees are being fully trained
2. Ensure that each organization has established policies and procedures
3. Verify that training is being done by obtaining documentation on training and policies/procedures

This similar pattern is followed by other government organizations. Documented compliance training is required in the areas of OSHA, Medicare, and other various areas where compliance is required.

When organizations give their employees the resources and information they need to be compliant with these various regulations, they begin to establish a culture of compliance within the organization. 

Compliance training is not a request or addressable, it is REQUIRED!!!!!

Employee training is an investment worth making. However, compliance training is not just a good investment, it is liability protection that any organization cannot be without.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Compliance Essentials: Documentation

Documentation is one of the essential cornerstones of any effective compliance program.

Henry was understandably nervous on the day his office was being audited by the Office for Civil Rights (OCR). While still feeling some butterflies, he was confident that his compliance efforts will pass the HIPAA audit. Henry was then asked a series of questions:

Auditor - Does your office have establish policies and procedures?

Henry - Yes we do!

Auditor - Show them to me.

Henry - Here is a copy of our employee handbook.

Auditor - This does not contain the necessary written information.

Henry - I thought it was enough . . .

Auditor - Does your office train your employees continuously?

Henry - Yes we do!

Auditor - Show me the training documentation.

Henry - Our employees are trained on compliance every year at our annual "compliance and pizza" meeting.

Auditor - That is not what I asked for.

Henry - I thought it was enough . . .

Auditor - Show me your breach disclosure log.

Henry - Our breach disclosure log . . .

Auditor - Do you not have one?

Henry - I'm not even sure what that log is.

At this point in the audit, Henry's confidence has vanished and he is now thinking about the possibility of having to look for another job.

OCR has stated that it views compliance as an "ongoing journey". When you are on a journey, your attention is focused on what lies ahead. However, if you stop for a moment and look behind you, you will see past evidence of your journey in the form of footprints. If you turn around, you will be able to retrace your journey by following those footprints. If it was not for your footprints, you would not be able to retrace your journey back to where you started.

This same idea of retracing your footprints and being able to follow the history of your journey, applies to your "ongoing journey of compliance". However, rather then leaving footprints behind you, you leave a paper trail called, documentation. By keeping your documentation up-to-date, you have a history of your compliance activity and evidence of where you currently stand (policies and procedures).

There are numerous benefits to good documentation:

1. Paper Trail - This will be useful in demonstrating your compliance activity for an audit or possible protection against liability.
2. Compliance Story - It is not only about what you did and the final outcome, but rather what factors were a part of your decision making process and what lead you to make the final decision.
3. Hand-Me-Down - When an office changes Administrators or Compliance Officers, the newly appointed employee will be able to review previous documentation and have a better understanding of the organizations compliance history.
4. Employee "Misunderstandings" - Documentation of policies and procedures go a long way to eliminating the employee "misunderstandings" that tend to crop-up. If an employee says that they did not know the policy, you can refer to the written policy and their acknowledgement of it that they signed during their training.

During an audit by OCR, they are wanting to look at your "ongoing journey of compliance". If your documentation is done well and is up-to-date, then you won't have to shy away from their questions. Simply take their hand and guide them through the history of your "ongoing journey of compliance" by following your own footprints.

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

Do You Understand The HIPAA Security Risk Management Process?

Risk Analysis Requirements Under The Security Rule

The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Analysis/Assessment for your organization, at minimum, once per year. It is critical that practices perform the Security Risk Analysis for several reasons. Not only is it important to comply with HIPAA, Health and Human Services (HHS) and Office of Civil Rights' (OCR) rules and regulations, but also for what you should consider to be a more motivational reason, to protect your practice (and bank account) from what could become debilitating fines and penalties.

The Security Management Process standard in the Security Rule requires each organization to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).), that apply to their particular practice. Risk Analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. This article will cover the Risk Analysis implementation specification of that standard. Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required). 

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. (Each organization must evaluate for itself the most appropriate answers to the questions contained in your own Risk Analysis.) From the information gained while conduction your Risk Analysis you should prepare a Security Risk Action Plan documenting your findings, your conclusions and plans to address risk issues.

This Action Plan should identify the current state of your practice from 3 areas: Environmental, Facility and Hardware/Software controls, [aka human, natural, and environmental threats].  It should also correlate issues from high to low risk and prescribe plans of action to address these issues in priority as deemed necessary.  Document your plans based on those risk analysis findings and your practice's available resources to best approach the reduction of your higher risk level issues and document your best practice policies and procedures going forward to mitigate damage, disruption or loss of Protected Health Information (PHI). The Security Rule requires the Risk Analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The Risk Analysis documentation is a direct input to your Risk Action Plan and overall Risk Management Process.

The following questions are examples that your organization could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

1. Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.

2. What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit your e-PHI?

3. What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a Risk Analysis, the Rule indicates that a Risk Analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)   

The OCR in recent months has acknowledged that providers are not making compliance implementation a priority to their practices. Thus, the increased risk of unauthorized access, use, and disclosure of protected (yet quite vulnerable) PHI is still a factor. Not to mention the risk of practices not appropriately implementing other critical areas of compliance, which also pose significant vulnerability to practices as well as the heightened risk of significant fines and penalties. While this information only briefly describes the risk to your practice, providers, workforce, and patients, the message to take away here is that the Office of Civil Rights means business - so much, in fact, that it was decided that the best and only way to make sure that practices understand the significance of compliance is for OCR (along with governing entities such as HIPAA, and others) to increase efforts of enforcement.

There is no such thing as "under the radar" or "off the grid" for practicing providers today. One component of enforcement is in HIPAA Security. It's a priority for HIPAA to ensure that potentially patient identifying and vulnerable information is secure. And rightfully so, when you consider the risk of potential identity theft, medical identity theft, and other dangers posed to patients due to the amount and types of information that health care providers have on each patient. Not to mention, the difficulty in finding the source of and stopping the effects of identity theft or medical identity theft, should that occur (which it does, all too often).

 

Organizations should use the information gleaned from their Risk Analysis as they, for example:

1. Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).) 
2. Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).) 
3. Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).) 
4. Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
5. Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

Though there are other components of compliance, the Security Risk Analysis is one very essential component to compliance, and for many reasons. The Security Risk Assessment shows your practice's good faith effort in establishing and maintaining appropriate policies and procedures that meet guidelines and minimize risk to your practice, patients and their protected information. The Security Risk Analysis is required as a way for practices to show ongoing monitoring of critical business systems.

Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive and show initiative. Also, note that the Security Risk Analysis/Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Analysis/Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.

Risk Analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The outcome of the risk analysis process is a critical factor in assessing whether a required implementation specification or an equivalent measure is reasonable and appropriate. 

Source(s): http://www.hcsiinc.com/, http://www.hhs.gov/, Brandy Brimhall @ https://www.chirocode.com/

To subscribe to this blog, enter your email address:


Delivered by FeedBurner

New HIPAA Audits May Prove Troublesome...If Not Prepared

The long-awaited next round of HIPAA audits has started, and providers may face a host of compliance and enforcement challenges, say health-care attorneys.

For example, the Health and Human Services Office for Civil Rights said it may conduct additional compliance reviews if an audit uncovers “serious issues,” which could lead to civil monetary penalties, Daniel Gottlieb, an attorney with McDermott Will & Emery in Chicago, told Bloomberg BNA on March 23, 2016.

Gottlieb said it's unclear how the OCR will define what constitutes a “serious issue,” and that uncertainty will be a burden to providers.

Certain policies that haven't been updated recently could become the grounds for additional compliance reviews outside the audit process, depending on the OCR's definition of a serious issue, Gottlieb said.

OCR Director Jocelyn Samuels announced the start of the phase two audits at a March 21 conference.

The compliance audits are intended to determine if health-care organizations and their contractors are complying with the Health Insurance Portability and Accountability Act's Privacy, Security and Breach Notification rules.

While the first round of audits focused solely on covered entities, phase two will address covered entities and business associates.

The audits are being conducted by FCi Federal, a government services provider in Ashburn, Va., that was awarded the contract in October 2015 .

Gottlieb said some covered entities, such as small physician practices, might have some HIPAA compliance issues involving their comprehensive risk assessments, which can be very data intensive and complicated for organizations with limited resources.

However, Gottlieb said he expected larger covered entities and business associates would be up-to-speed on HIPAA compliance.

“Organizations that prioritize HIPAA compliance should do pretty well, but no one is perfect,” Gottlieb said.

Data security is an ongoing process, Gottlieb said, and organizations should continuously make changes to their policies to meet a changing threat environment, including hacking attempts and patient data shared via social media channels.

Justified Enforcement

The next round of audits has been characterized by the OCR as a compliance improvement exercise, but covered entities and business associates may be in store for more enforcement actions as the OCR uncovers serious issues, Eric Fader, an attorney with Day Pitney LLP in New York, told Bloomberg BNA March 24, 2016.

“At this point, the OCR could be excused for calling almost any HIPAA violation a serious issue,” Fader said.

HIPAA has been around a long time and the OCR has provided plenty of warnings over the last few years, Fader said.

James Bowers, an attorney with Day Pitney in Hartford, Conn., said the OCR is likely to ramp up HIPAA enforcement after the criticism it received from the HHS Office of Inspector General in a September 2015 report (pdf).

The OIG said in the report that the OCR wasn't investigating enough small data breaches or keeping track of all health-care organizations it finds in violation of federal privacy laws.

“OCR's knuckles were rapped pretty hard, so going forward there's going to be a no-nonsense enforcement policy,” Bowers told Bloomberg BNA March 24.

Bowers said he expected to see steeper fines and more corrective action plans.

Audit Priority Items

Gottlieb said the OCR's phase one audits, which were conducted in 2011 and 2012, identified several areas of concerns regarding HIPAA compliance, and he said the upcoming phase two audits are likely to focus on them.

For example, a significant portion of audit subjects from phase one hadn't performed a comprehensive security risk assessment, Gottlieb said.

“Organizations should review their risk assessments and see if they comply with the HIPAA Security rule as well as OCR guidance,” Gottlieb said.

Gottlieb said he expected the second round of audits will also focus on the HIPAA Security rule's provisions concerning the secure disposal of electronic devices and encryption of data in transit and at rest.

“A lot of recent OCR enforcement has focused on stolen unencrypted laptops,” Gottlieb said.

The OCR reached two multimillion-dollar settlements in March 2016 with providers over stolen unencrypted laptops .

Audit Preparation

Also See: What to Expect in a HIPAA Audit for 2016 (Webinar Video)

In preparation for a potential HIPAA audit, organizations should identify and gather all of their documentation related to the OCR's phase one-identified priority areas and should ensure their security policies are reasonable and updated, Gottlieb said.

Kevin Page, an attorney with Waller Lansden Dortch & Davis, LLP in Nashville, told Bloomberg BNA March 23, 2016 that covered entities should maintain a list of all their business associates as well as have written HIPAA compliance policies and procedures in place.

Page said the audits will likely look to see if organizations have conducted a comprehensive, enterprisewide security risk analysis and if they've implemented a risk management plan based on the results of the analysis.

“I suspect we'll be seeing more audits, and what they learn from these current audits will inform future audits,” Page said.

Page said it would be smart for business associates to be make sure they're up to speed on the HIPAA Privacy and Security rules, as this will be the first time they're having to open their books to the OCR and demonstrate compliance.

Day Pitney's Bowers said business associates are increasingly holding large amounts of patient data either in electronic health records or in cloud storage.

“These vendors have to make certain the data is secured six ways to Sunday,” Bowers said.

Little Cause for Alarm

While the upcoming phase two audits may be inconvenient for organizations as they gather their HIPAA policies and procedures, there's little cause for alarm, Colin Zick, an attorney with Foley Hoag LLP in Boston, told Bloomberg BNA March 24, 2016.

Zick said the audits are trying to encourage good compliance and aren't designed to be punitive.

If you haven't pulled the HIPAA compliance binder off the shelf in a while, this would be a good time to start!

When it comes to HIPAA compliance, no one's perfect and breaches will happen, Zick said.

Organizations with strong underlying HIPAA compliance policies and procedures are less likely to face enforcement action if compliance problems are found, Zick said.

Zick also said covered entities are likely to fare better in HIPAA audits than business associates, which are organizations that contract with health-care organizations.

“There's such a variety of business associates, it's a much greater challenge for them to stay in compliance,” Zick said.

Looking to the future, a big question is what the next phase of audits will look like, Zick said.

“Will they decide not to do any more because the results show everyone's OK with compliance, or will they will ratchet up enforcement?” Zick said.

Planning Ahead

Before any potential HIPAA audit, covered entities and business associates should:

locate all HIPAA Privacy and Security compliance policies and procedures, and find out when you last updated them;

review your risk analysis/assessments and risk management plan;

update any policies and proceedures/documentation as necessary; 

update and organize all Business Associate Agreements/contracts; and

schedule annual and ongoing training.

Organizations need to cooperate completely with an audit request.

Reece Hirsch, an attorney with Morgan, Lewis & Bockius LLP in San Francisco, echoed Zick's comments and said it's crucial for audit subjects to respond within the mandated 10-day period.

“Make sure the audit-related address verification letter doesn't end up in your spam folder,” Hirsch told Bloomberg BNA March 24, 2016.

Organizations should create audit response teams to ensure they meet the response deadline, and should perform document-gathering dry runs to determine how fast the process is, Hirsch said.

Hirsch said it's important that an organization's HIPAA compliance policies and procedures are updated.

“If you've done your updating prior to the audit start, you're OK, but if you do your updating after you receive an audit request, that's a different story,” Hirsch said.

Also See: What to Expect in a HIPAA Audit for 2016 (Webinar Video)

Source(s): James Swann, http://www.bna.com/, HCSI, What to Expect in a HIPAA Audit for 2016

To subscribe to this blog, enter your email address:


Delivered by FeedBurner