The 10 Step HIPAA Compliance Review

If there is one life or death issue for a Covered Entity and its Business Associate, it has to be HIPAA compliance. This is one point that could determine whether they will continue to be in business or fold up. This underlines the criticality of HIPAA compliance for a Covered Entity and a Business Associate.

While providing the appropriate patient rights and controls on its uses and disclosures is important to show compliance with HIPAA, a Covered Entity or a Business Associate needs to do more: it has to also to demonstrate this.

The CE or BA should also have performed the appropriate analysis of the risks to the confidentiality, integrity, and availability of electronic Protected Health Information (PHI). Unless this is done in a compliant manner, the CE or BA cannot ensure that it is protecting the PHI from vulnerabilities. Loss of a device holding data, accidental acts or intentional acts, such as cyberattacks, which have only become accentuated in recent times, are some of these.

Given the utter vitality of ensuring HIPAA compliance, shouldn’t Covered Entities and their Business Associates get a proper and thorough understanding of how to do this? This learning will be imparted at a webinar that is being organized on September 9 by MentorHealth, a leading provider of professional training for all the areas of healthcare.

The doyen of HIPAA compliance, Jim Sheldon Dean, will be the expert at this webinar, at which he will explain a 10-step method that will help participants gain thorough clarity of HIPAA compliance. Please register for this webinar by visiting https://www.mentorhealth.com/webinar/the-10-step-hipaa-compliance-review—how-to-ensure-your-compliance-is-up-to-date-801767LIVE?wordpress-SEO.

————————————————————————————————————–

The expert will show how a Covered Entity or a Business Associate can ensure HIPAA compliance in a structured and logical manner over just ten days and thus escape enforcement actions from the HHS. He will explain how to carry these out in the 10-day span, which will be laid out in this manner:

• Day One: Research of Your Operations
• Day Two: Limitations on Uses and Disclosures
• Day Three: Patient Rights under HIPAA
• Day Four: HIPAA Risk Analysis
• Day Five: HIPAA Security Safeguards
• Day Six: HIPAA Security and Breach Notification Policies and Procedures
• Day Seven: Documentation of Policies and Procedures
• Day Eight: Training in Policies and Procedures Related to HIPAA
• Day Nine: Verification and Audits of Compliance
• Day Ten: Long Term Compliance Planning and Risk Management

The following areas will be covered at this webinar:

• Find out how to relate your office’s activities to the regulations
• Learn what are the ways you can share information under HIPAA, and the ways you may not
• Find out about HIPAA requirements for access and patient preferences, as well as the requirements to protect PHI
• Learn how to use an information security management process to evaluate risks and make decisions about how best to protect PHI and meet patient needs and desires
• Find out what policies and procedures you should have in place for dealing with e- mail and texting, as well as any new technology
• Learn about the training and education that must take place to ensure your staff uses e- mail and texting properly and does not risk exposure of PHI
• Find out the steps that must be followed in the event of a breach of PHI
• Learn about how the HIPAA audit and enforcement activities are now being increased and what you need to do to survive a HIPAA audit.

—————————————————————————————————————

About the expert: Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems.

MentorHealth to organize webinar on “HIPAA 2019 – What’s New?” on January 9, 2019

MentorHealth, a leading provider of professional trainings for the healthcare industry, is organizing a webinar on the topic, “HIPAA 2019 – What’s New?” on January 9, 2019. The speaker at this webinar is Brian L Tuttle, a highly regarded health IT and compliance professional. He will show participants how to understand the nuances of the changes that HIPAA will bring for 2019 and how to audit in accordance with these changes, which will put them on the path to proper and hassle-free HIPAA compliance. To enroll for this webinar

HIPAA has been undergoing changes from the time of its inception. Each successive change requires practice or business managers or compliance officers to stay completely updated about these requirements and understand their workings in the right perspective. Why is this learning important? Simple: HIPAA compliance is no longer viewed leniently by the HHS.

All the core components of HIPAA compliance, such as changes under the Omnibus Rule, what changes the Trump administration has brought in into HIPAA and what else it is planning to, new congressional mandates, and any other applicable updates for 2019 and beyond, will be discussed at this webinar. This will lay the groundwork for proper implementation of the HIPAA provisions by Covered Entities and Business Associates.

Obviously, being in violation of the HIPAA requirements is a nightmare of the highest order for any of these entities. CE’s and BA’s come under heavy scrutiny from the HHS and are fined very heavily for violations. Brian will discuss what the most common types of violations are, which will help the participants of this webinar get a proper idea and perspective of what to implement and what to avoid.

Brian will explain other prominent areas of HIPAA. These include State laws, which are now in place and are increasing liability for patient remedies. He will also explain what factors might spurn a lawsuit or a HIPAA audit and explain how participants can do these things right. Also, insight will be offered into why the federal government is enforcing these sections with such severity after all these years. He will show how patients are now able to get cash remedies for wrongful disclosures of private health information.

Over the 90 minutes of this webinar presentation, Brian will cover the following areas:

• Updates for 2019 and Beyond
• Fines
• Portable devices
• Texting and Emailing – New Guidelines
• Changes under new OCR Director and Congress
• New Definition of Protected Health Information
• Real Life Audits and Litigated Cases
• Business Associates and the Increased Burden
• Breach Notification
• Paperwork that Needs to be Updated
• Risk Factors

This learning is of immense value to professionals who are involved in HIPAA compliance. These include Practice Managers, Any Business Associates who work with Medical Practices or Hospitals (i.e. Billing Companies, Transcription Companies, IT Companies, Answering Services, Home Health, Coders, Attorneys, etc.), and MD’s and Other Medical Professionals.

HIPAA 42 CFR Part 2 and FERPA Rules For Managing Student Health Informaton

This Blog focuses on the issues of managing health information when it may that of students and may involve substance abuse treatment information. HIPAA and FERPA allow a number of disclosures without consent that SAMHSA prohibits without consent.

How HIPAA relates to information management and release and explain the processes required for various releases of information under the HIPAA and FERPA rules, including release according to individual access requests, and under consents and HIPAA authorizations.

While FERPA overrides HIPAA, both HIPAA and FERPA take a back seat to the rules under 42 CFR Part 2. When substance abuse treatment information is involved, first you need to understand how to identify it. This blog explains how to make it distinguishable from “regular” health information, so that the appropriate extra protections can be provided. You may be able to use functions in your EHR to flag the information, or you may create a manual process for tracking the information,if it is rarely handled in your organization.

And the substance abuse treatment information you collect may or may not be under SAMHSA depending on whether or not you have a department or even a response team that specializes in SAMHSA-related situations. You need to understand your status under the rules before you release information inappropriately.What qualifies treatment that falls under SAMHSA.

If your organization provides services that create information that is under the SAMHSA regulations, you will need to establish the consent and release of information processes that are required to be followed for information releases under 42 CFR Part 2. This involves getting the proper consents upon establishment of the relationship, as well as managing consents for releases that may be necessary after the initial establishment of the relationship.

When you release information under HIPAA, there are no special notices required to be placed on the records. But when you release information under SAMHSA, each document must have a notice that explains that re-disclosure is not permitted without a new consent.

Complicating matters are updated rules going into effect that will allow a consent that permits a re-release to a defined team of providers caring for the individual, but then require meticulous documentation of to whom the information has been released under such a consent.

This blog will explore the complications and requirements of each of the rules controlling student health information, HIPAA, FERPA, and 42 CFR Part 2, and provide insights into how to apply the rules in an education setting.

This Blog covers the below topics

• What FERPA controls and how to Determine where it Applies
• How FERPA and HIPAA Interact
• What HIPAA allows, what SAMHSA requires, and the Differences will be Explained
• We will Examine how to Deternmine if the Services you Provide Place you under FERPA or 42 CFR Part 2
• We will Explore the means for Making sure Substance Abuse Treatment Information Receives the Appropriate Protections
• The consent and release Requirements under HIPAA, FERPA, and 42 CFR Part 2 will be Explained
• Re-release of Information Released under 42 CFR Part 2 will be Discussed
• Sharing of information with Family and Friends in an overdose Incident will be Explored
• The latest Guidance from the US Department of Health and Human Services on HIPAA and FERPA, as well as Harmonization of SAMHSA and HIPAA will be Explained

Read More

This Blog Is going to helpful for these professionals

• Compliance Director
• CEO
• CFO
• Privacy Officer
• Security Officer
• Information Systems Manager
• HIPAA Officer
• Chief Information Officer
• Health Information Manager
• Healthcare Counsel/Lawyer
• Office Manager

Top Facts about HIPAA Texting

The Health Insurance Portability and Accountability Act (HIPAA) came into being in 1996 with the purpose of ensuring the privacy of data and safeguarding medical information through a set of security provisions. Its three core provisions relate to portability, integration with Medicaid, and simplification of the administration of the Act. Ever since the technology of Short Messaging Service (SMS) was introduced into healthcare, rules relating to what should be sent and how have become a very important component of HIPAA.

There is a misconception that texting is not allowed in HIPAA. Texting is not prohibited under HIPAA, which means that anyone can send text messages about health information. However, one of the top facts about HIPAA texting is that there are reasonable restrictions relating to what should be sent in text format and how. The core objective for HIPAA is to safeguard the integrity of Protected Health Information (PHI) and ensure that it complies with the provisions set out in HIPAA. The laws regarding this are set out in the Privacy and Security Rules.

Why is texting an issue under HIPAA?

If the Department of Health and Human Services, which administers HIPAA, is so clear in its goal, why is there any confusion at all about the provisions relating to texting? This question needs to be put in perspective: A good part of the confusion relating to SMS under HIPAA is attributed to facts that are inherent with the concept of short messaging services:

• Most apps, which healthcare professionals rely on heavily to send PHI, are open and don’t have login and logoff requirements
• The accountability for messages’ origin is very low in SMS since senders have little control over the origin and receipt of messages by SMS
• Identity is a major concern in SMS because anyone who uses somebody else’s phone could send messages
• There is very little trackability of stolen or damaged cellphones that could transmit PHI.
• Other sources of confusionIn addition to this, complex legalese used in this text compounds the confusion about HIPAA. In fact, among the top facts about HIPAA texting is that HIPAA does not explicitly mention the word SMS or texting at all; SMS is covered under the rules set out under the broad heading of electronic communication.This has led to confusion in many cases because rules that apply to certain kinds of electronic communication do not apply to others. Texting is a classic instance of this ambivalence. Since HIPAA has framed very broad guidelines to cover all electronic communication; some of its definitions of phrases are open to subjective interpretation.Resort to the Privacy and Security Rule

  It is to avoid scenarios such as these that healthcare providers who come under HIPAA regulations need to get a thorough understanding of how to safeguard patient information while texting.

  The basis for preventing being hauled up by the HHS for privacy violations while texting patient information should be an understanding of what texting HIPAA considers a violation of its Privacy and Security Rule. Business Associates and their Covered Entities, who are required to comply with HIPAA, need to be guided by the HIPAA Security Rule, which defines all the elements of texting including:

  • Access controls
  • Audit controls
  • Transmission security mechanisms when PHI is being transmitted electronically
  • Methods for ID authentication
  • Integrity controls

  Another of the top facts about HIPAA texting is that the HIPAA Privacy and Security Rule considers any message containing PHI that is sent in standard, non-encrypted, non-controlled and non-monitored SMS or IM as violation of its requirements.

  Secure Messaging Solutions are the answer

  The most viable and acceptable solution is to resort to secure messaging for sending PHI. These are some of the ways by which a Secure Messaging Solution can ensure the security of PHI sent by a HIPAA entity while messaging:

  • It encapsulates PHI within a private communications network. This network can be accessed only by authorized users
  • Access is through a secure gateway which makes it easy to track and prevent misuse
  • SMS containing PHI cannot be sent to email addressed outside the communications network
  • After a period of inactivity for a set period of time on the app, it logs off automatically
  • Copying and pasting any information contained in the PHI, as well as the feature of saving the data into a hard drive is disabled.

For More Updates Follow Us on Social Media

Facebook 

Linkedin

The Next Big Thing in Hospital Management

Is the US hospital management sector waiting for the next big thing in hospital management? What is it going to be and what shape is it going to take? Any change in the hospital management sector needs to be watched for, because it is part of the $ three-trillion healthcare sector in the US, the world’s largest.

Which are the major changes that one can expect in this Pan-American sector of hospital management? Like many other sectors related to healthcare, will hospital management be technology-led too? The prognosis presents a mixed bag because when we look at some of the trends while looking for the next big thing in hospital management, we could be looking at changes that could be both technology dependent and non-technological ones.

Self-care is set to be the next trend in hospital management

This sounds rather paradoxical, when one considers how technologies have been making serious inroads into hospital management and are facilitating a vast number of functions relating to areas such as helping to monitor core hospital management areas such as patient visits, for instance.

Yet, hospital management is moving towards more focus on patient self-care. The main reason attributed to this is the fact that hospitals are seeing self-care as a means to control patient inflows and help them avoid unnecessary visits to hospitals. This is all the handier when it comes to old aged patients, for many of whom making visits to hospitals could be a challenge.

Take the case of patients with diabetes. Many patients can avoid multiple visits to hospitals with the aid of apps and other tools which help them monitor the condition on a daily basis and interact with the healthcare giver only in the case of serious variations or adverse symptoms in their condition. Not visiting hospitals does not mean lesser care. On the contrary, it is quite likely that they could receive better attention because of the presence of automated tools such as emails and text messages and interaction through the social media that send out quicker signals to care providers. As technologies and tools become more patient-centric, there is a good chance that the hospital sector will undergo a few major changes with lessened footfalls from patients.

Telemedicine could alter hospital management

One cannot discount the possibility of telemedicine taking over the role of being the next big thing in hospital management. Telemedicine has been around for quite a while now. So, what is new, you may ask. Well, telemedicine has been around for some time now, but what makes it the potential next big thing in hospital management is that its ability to lead to virtual care is now being explored more vigorously. If telemedicine serves as the foundation for the growth of virtual care, it will have more than served its purpose of hastening medical care where it matters the most and is needed the most.

The technologies that go into making virtual care a reality, are being considered favorably for eliminating many of the drawbacks of telemedicine, such as heavy dependence on staff for call centers and wired systems. Telemedicine is being seen as the technology that could alter itself for the better and alter the face of hospital management in the US.

Technologies will transform hospital management

This is a fact all too well known for anyone to be surprised by. Technologies are pervading every area of our lives and are transforming them beyond our comprehension. How does one expect hospital management to be different? Areas such as operations, microsurgery, hospital financial management, laboratory management and a bunch of areas that work in close sync with hospital management could undergo drastic changes with technologies such as Artificial Intelligence and Machine Learning. These technologies are likely to bring in paradigm changes by altering the very foundation on which hospital management is built. They could be bringing about real changes in nearly every area of hospital management in the next few years.

Hospital data needs to be secured

No technology, practice or process being touted as the next big thing in hospital management will be of any use unless hospital management learns how to deal with malware attacks. Hackers are very enticed by patient medical data, which now commands a higher rate in the black market than even credit cards and social security data. The next big thing in hospital management should look at how to nip this evil in the bud.

Follow us for more updates

Top risk management issues in healthcare

Healthcare, like every other area, has its own risks. In the case of healthcare, the risks have to be contained well because of the obvious fact that any unseen or unaddressed risk can be a potential source of danger to the patient’s health or very life. This is the most urgent need for addressing risk management issues in healthcare.

When talking about the top risk management issues in healthcare, one has to take a rather holistic look at this topic. This is because risks can arise in healthcare from any source, obvious or obscure. The healthcare unit has to be completely and fully open to the possibility of finding risks in almost any area of their work.

This is why top risk management issues in healthcare concern the whole gamut of the field of healthcare. Let us take a look at some of these top risk management issues in healthcare:

Risk from technology

Technology has the magical power to transform lives in a way that humans of an earlier era could not have dreamt. But wait a minute. For all the fantastic things that technology is capable of doing, it comes with a huge risk that is inherent into it. We are witnessing the explosion of all kinds of changes that life will see under technologies such as Artificial Intelligence, data science, Internet of Things, Big Data and their siblings.  These technologies have unimaginable implications for healthcare.

While many changes can be seen in areas such as the way health and health administration are going to progress, there is no denying the fact that technology is primarily responsible for cyberattacks on healthcare records. To say that this is a dangerous trend is to understate a problem of gigantic proportion. The consequences of data breaches are terrible.

Individual healthcare providers may face penalties and other fines but how does the healthcare sector deal with it? What is to be done when critical data about patients go into unscrupulous hands? It sends the whole sector and the lives of millions of people into a tizzy, depending on the severity and consequences of the cyberattack. Data security ranks right among the top risk management issues in healthcare.

Compliance risks

With healthcare being such a vast and varied field and being one that carries immense potential for misuse, governments have realized that the need for regulation is acute. Regulation is always done with very good intentions, but it has a major bearing on the healthcare providers. Why? They have to comply with a myriad set of regulations and rules concerning almost all areas of their work. The cost of compliance is high, but the cost of noncompliance is inestimably higher. Complying with all the regulations such as HIPAA is a gigantic task. Getting it right is something healthcare organizations spend a lot of their resources on.

Dealing with patients

One of the top risk management issues in healthcare is dealing with patients. Not all patients are expected to be sober and patient. In addition, patients having unrealistically lofty expectations of the treatment outcomes are common. Patient expectations are high when it comes to the provision of services, too. Many patients are difficult to handle because they think they have entitlement rights over many aspects of the health administration without being fully knowledgeable about the difficulties faced by healthcare providers.

Telemedicine

Telemedicine is emerging as a novel means to provide healthcare across remote areas. While this technology is itself not totally new, it has undergone a few technological leaps that make it a lot easier to adapt and grow into more areas. This has exciting possibilities for the patient and for the field of healthcare but comes with its own challenges of implementation. Implementing telemedicine practices in accordance with the rules and within the regulatory framework opens up new avenues for healthcare but one cannot rule out the practicality of the challenges it comes with.

Dealing with the setup

People are part of the healthcare industry. There are both healthcare professionals and patients that need to be managed. This may be part of the job but still, it comes across among the top risk management issues in healthcare. To organize and streamline work on a daily basis, especially in very huge hospitals, is quite a task, even with all the support people and technologies provide. Dealing with issues and preventing and eliminating the smallest problem in the setup is a herculean task for even the most experienced healthcare professionals. This makes it important for healthcare professionals to learn ways of dealing with such top risk management issues in healthcare.

Why HIPAA compliance is becoming more challenging

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legislation that was enacted under the HITECH Act under Bill Clinton’s presidency with the intention of offering safeguards for medical information through its data privacy and security provisions. The Act consists of five sections. Also called titles, they are these:

• HIPAA Health Insurance Reform
• HIPAA Administrative Simplification
• HIPAA Tax-Related Health Provisions
• Application and Enforcement of Group Health Plan Requirements
• Revenue Offsets.

The provisions relating to data security are to be enforced by what are called Covered Entities, or those that are in possession of one or another form of patient data including Medicare and Medicaid, along with entities with whom these CE’s may work to get their work done, namely Business Associates (BA’s). The mechanism through which the implementation of the provisions of HIPAA by the CE’s and BA’s is overseen is audits.

In the first two decades since HIPAA’s inception, successive American governments have paid some half a million providers of healthcare services and CE’s and BA’s well over $400 billion to implement Electronic Health Records (EHR’s), which is the most important source of patient information that needs to be safeguarded in accordance with the provisions of HIPAA.

 

Although the purpose set out for safeguarding confidential patient data is straightforward and the means for doing so are explicitly stated; HIPAA implementation is still one of the gargantuan stumbling blocks for the administration. The question of why HIPAA compliance is becoming more challenging can be understood from this perspective. An understanding of why HIPAA compliance is becoming more challenging needs to also be seen in the backdrop of the fact that this has been happening despite the astronomical rates of penalties that HIPAA imposes for non-implementation: these range from $50,000 for every willful violation to $1.5 million for willful repeat violations, in addition to inviting a year in prison.

The reasons why HIPAA compliance is becoming more challenging

From the time HIPAA came into existence, it has thrown up a number of reasons for its relatively low level of compliance and implementation. Some of these may appear very basic and even surprising for a country that is among the most technologically advanced in the world. Yet, this being a completely technological tool; the element of technology, intended to be a facilitator, has turned out to be an impediment to HIPAA compliance by CE’s and BA’s.

Technology

Technology continues to be the prime problem in HIPAA compliance. While on the surface, people may balk at the idea that technology can be a limiting factor for a completely technological system, it has to be understood that implementation of HIPAA Security measures requires knowledge and application of specific technological aspects. The main concerns relate to getting used to operating shared data access across networks for healthcare professionals who were all along used to operating with closed data systems, and with understanding the nitty-gritty of using the cloud.

Using with mobile technologies

Another aspect of the problems with why HIPAA compliance is becoming more challenging is migrating and adapting these technologies for mobile systems. Mobile technology differs a little from that of traditional, desktop technologies. Implementing both of them in parallel has been a challenge for many CE’s and BA’s.

Evolution of technologies

In addition to all these usual issues associated with technology implementation, another reason as to why HIPAA compliance is becoming more challenging is that technology itself is ever changing and evolving. By the time many staff members of certain CE’s and their BA’s get used to implementing the existing technology, an innovative technology could have come up, making it necessary to carry out changes in accordance with the requirements of the latest technology.

Integration

Another element of the technological aspect of why HIPAA compliance is becoming more challenging is that this calls for integration with a vast number of entities from both within the organization and outside. This is seen as an issue by many healthcare providers who have to implement HIPAA.

Training

Apart from the technology aspect of HIPAA, many Covered Entities and Business Associates are finding that HIPAA compliance is becoming more challenging because they have to continuously train staff about every aspect of HIPAA implementation. HIPAA requirements keep changing every now and then. This makes HIPAA implementation all the more time-consuming and challenging.

 

HIPAA Texting and Emailing – Do’s and Don’ts

HIPAA texting policy is undergoing changes. The Department of Health and Human Services (HHS) has been implementing changes to enforcement of HIPAA for both Covered Entities and Business Associates vis-à-vis portable devices, texting, and emailing of Protected Health Information (PHI).

At this webinar, the expert, Brian Tuttle, will explain the areas relating to HIPAA and texting in healthcare, encryption, medical messaging, voice data, personal devices, and risk factors. Knowledge of these factors and knowing how to put them in the right perspective is important to avoid HIPAA penalties. Brian will help participants distinguish between myth and reality of this rather challenging law. This learning is the result of his having conducted over 1000 HIPAA risk assessments during the 18 years of his career, during which he has worked in various areas of health compliance.

Limiting audit risks

The most important learning that Brian will impart at this webinar is how participating organizations can limit their risks. They need to know what proactive steps to take, and which best practices to implement. He will show how to do these. The main objective is to help clear misconceptions in the minds of the participants regarding HIPAA texting and emailing. He will seek to remove confusions among Covered Entities and Business Associates about transmission of PHI.

The knowledge the expert at this webinar is going to offer on HIPAA texting and emailing will help CE’s and BA’s avoid audit risks and thus prevent them from being sued for wrongful disclosure of their PHI, which happens mainly due to bad IT practices.

Aimed at Practice Managers, any Business Associates who work with medical practices or hospitals (i.e. billing companies, transcription companies, IT Companies, answering services, home health, coders, attorneys, etc.), and MD’s and other medical professionals; this webinar will cover the following areas:

• Updates for 2018
• BYOD
• Policies Regarding Personal Devices
• Portable Devices – Best Practices
• Doctors and Texting
• Practical Solutions
• Business Associates and the increased Burden
• Emailing of PHI
• Texting of PHI
• Federal Audit Process.

HIPAA requires compliance with ICD-9-CM guidelines

ICD-9-CM guidelines have been issued to bring about standardization and uniformity in the use of medical codes. Adherence to this guideline is a requirement under Health Insurance Portability and Accountability Act (HIPAA).

The International Classification of Diseases, 9th Revision, Clinical Modification, more popularly known as ICD-9-CM, is a set of guidelines issued by two departments within the Department of Health and Human Services (DHHS): The Centers for Medicare and Medicaid Services (CMS) and the National Center for Health Statistics (NCHS).

The ICD-9-CM guidelines provide healthcare professionals with the knowledge of how to code and report diseases, which has to be in accordance with this instrument. The ICD-9-CM guidelines are meant for accompanying and supplementing the extant official conventions and instructions that the ICD-9-CM has already provided.

Facts about the ICD-9-CM guidelines

• These ICD-9-CM guidelines are to be used by healthcare coders when allocating ICD-9-CM diagnosis and procedure codes
• Adherence to these guidelines is a requirement under HIPAA
• These, however, are guidelines, and hence are subservient to the more clear-cut conventions and instructions that the classification has
• Although ICD-9-CM guidelines provide additional instruction; instructions on how to code and sequence diseases, as set out in Volumes I, II and III of ICD-9-CM, are the guiding document

ICD-9-CM guidelines on general inpatient coding

ICD-9-CM guidelines have full details of how medical coders have to go about general inpatient coding. These are some of the general areas in which ICD-9-CM guidelines have to be adhered to:

• Use of both alphabetic index and tabular list
• Level of specificity in coding
• Not Elsewhere Classified (NEC) or Not Otherwise Specified (NOS) code titles
• Conditions that are classified as being both acute and chronic
• Code relating to combinations
• Tabular list
• Multiple coding of diagnoses
• Late effect, meaning residual effect or condition produced
• ICD-9-CM guidelines when diagnosis is uncertain
• o ICD-9-CM guidelines on impending or threatened condition

Read More : http://bit.ly/2Gchm5W

Medical practices have to phase out to HIPAA ICD-10 by October 1, 2015

Key Takeaway:

Phasing out the HIPAA ICD-9 and ushering in the HIPAA ICD-10 is a massive exercise required under the Protecting Access to Medicare Act of 2014. Hospitals and other healthcare providers have to get used to a set of codes that is different from what was being practiced for over three decades.

The HIPAA “ICD-10” is a medical codes set from HIPAA. It stands for the International Classification of Diseases, Tenth Revision, Clinical Modification (ICD-10-CM). This term also includes another classification, the International Classification of Diseases, Tenth Revision, Procedure Coding System (ICD-10-PCS).

A brief understanding of the differences between ICD-10-CM and ICD-10-PCS

ICD-10-CM and ICD-10-PCS are quite different from each other. The ICD-10-CM diagnosis code will be replacing ICD-9-CM, Volumes 1 and 2. While ICD-10-CM will continue to be used to report diagnoses made in all clinical settings; ICD-10-PCS is a procedure code set that is set to replace the ICD-9-CM Volume 3. Hospital inpatient procedures are the only item to report which the ICD-10-PCS will be used.

Comprehensive and complex

The HIPAA ICD 9 will now be replaced by the HIPAA ICD-10 code set with effect from October 1, 2015. This transition is considered very elaborate, complex and expensive, as this is a gargantuan mandate that the federal government does not fund. The Department of Health and Human Services (HHS), which is to oversee the transition, extended the deadline for the date of phasing out into HIPAA ICD-10 by a year acknowledging the practical difficulties and costs associated with implementing a code set of such high proportion.

Major differences in coding practices

The ICD-9, which is the extant principle, has been around for three decades, necessitating changes into this code set.

• The ICD-9-CM diagnosis codes are 3-5 digits in length and number just over 14,000, while HIPAA ICD-10 diagnosis code consists of 3-7 length characters and total 68,000
• The ICD-9-CM procedure codes are only 3-4 numbers in length and total approximately 4,000 codes, while the HIPAA ICD-10-PCS are alphanumeric procedure codes that are 7 characters in length, and total approximately 87,000

No need to replace the CPT

Since the HIPAA ICD-10-PCS will only be used to report inpatient hospital procedures; it will continue to be used along with the Current Procedural Terminology(CPT), which deals with codes used for outpatients.

The scale of transition

Transitioning to HIPAA ICD-10 is expected to have an effect on all physicians. A pan-US exercise of this scale requires major software or system upgrades or replacements, large-scale training and planning, apart from many other unavoidable investments. The factors that will make this complex include:

• The dramatic increase in the number of codes
• Change being brought about in the number of characters per code
• Increase in the specificity of the code

Costs of phasing out

The costs for transitioning for just small firms are expected to be between $56,000 and $226,000.

Read More : http://bit.ly/2jRUT5o

HIPAA vs. SAMHSA 42 CFR Part 2

Practice and/or business managers, or what are called compliance officers, are required to make sure that their organization complies with the provisions set out in the Substance Abuse and Mental Health Services Administration (SAMHSA) regulations spelt out in 42 CFR Part 2. This section has been created to protect the confidentiality of patients with a history of substance use disorders (SUD) during treatments. The aim of this provision of the SAMHSA, 42 CFR Part 2, which was passed in the 1970’s, is to protect and control the disclosure and uses of patient records that are generated for these patients at a federally assisted program for their treatment.

The purpose for which this provision has been introduced is to make sure that people who undergo treatments for SUD are not discriminated against, and that they do not get to suffer the negative stereotyping that society paints of them once their information becomes open. It wants to prevent information about them leaking out to the public domain and with it, the stigma and consequences associated with being patients of substance abuse disorders.

SAMHSA vs. HIPAA

The disclosure regulations set out in SAMHSA 42 CFR Part 2 are generally similar to, but somewhat different from those of HIPAA. A compliance officer needs to be aware of the subtle, but very significant differences between the two, because the proper implementation of both these is very vital. A Covered Entity or Business Associate who fails to comply with the provisions of both these legislations can face severe penalties of both civil and criminal nature.

A thorough understanding of the nature of these regulations, as well as their differences, and the way of implementing them in a legally compliant manner will be the learning a webinar from MentorHealth, a leading provider of professional trainings for the areas of healthcare, will be imparting.

The expert at this webinar is Brian Tuttle, a very experienced senior HIPAA professional, who has over 18 years of experience in Health IT and Compliance Consulting, during which he has worked extensively in health IT systems (i.e. practice management, EHR systems, imaging, transcription, medical messaging, etc.) and in standard Health IT with multiple certifications. As a compliance consultant, Brian has conducted onsite and remote risk assessments for over 1000 medical practices, hospitals, health departments, insurance plans, and Business Associates throughout the United States. Please enroll for this webinar.

Complete understanding of SAMHSA and HIPAA and their differences

In the course of offering an overview of a comparative analysis of SAMHSA and the HIPAA laws relating to Protected Health Information; Brian will cover the latest SAMHSA updates, which were released in January 2018, and the latest HIPAA updates, which came in December 2017. He will describe different scenarios that could come up during implementation of these regulations. He will take up and answer the many FAQ’s relating to substance abuse records, mental health records and alcohol abuse records, and the proper ways to secure this information and/or release this information. He will also explain the ramifications of improper implementation or non-implementation of these regulations.

Practice Managers, any Business Associates who work with mental health records, substance abuse records or alcohol abuse records, such as billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc., and MD’s and other medical professionals will derive enormous benefit from this session.

Brian will cover the following areas at this webinar:

o  Updates for 2018

o  What is SAMHSA

o  What is HIPAA

o  Portable Devices

o  When and How Records can be Released

o  Proper Documentation Required

o  Enforcement of the Law

o  SAMHSA vs HIPAA (Specific Scenarios)

o  Who must Comply

o  Best Practices.

Fill this form to get more HIPAA Updates

Top HIPAA Webinars By MentorHealth

1. The Roles and Responsibilities of a HIPAA Privacy & Security Officer

This presentation addresses HIPAA regulations from a different perspective – from a personal perspective – from the perspective of the person in charge of moving an organization or facility toward full compliance with HIPAA.

Registration Link : http://www.mentorhealth.com/control/w_product/~product_id=801270LIVE?wp_seo

2. HIPAA Security Basics

The webinar will a primer for the HIPAA Security Rule going over the basics of what is necessary to achieve compliance

Registration Link : http://www.mentorhealth.com/control/w_product/~product_id=801228LIVE?wp_seo

3. HIPAA Fundraising: What you Need to Know, What you Need to Do

This webinar will explain how to keep your fundraising communication and relatedpolicies compliant without impairing operational effectiveness.

Registration Link :

http://www.mentorhealth.com/control/w_product/~product_id=801256LIVE?wp_seo

4. Take the Fear out of HIPAA – Basic Step-by-Step Compliance

This session will explain exactly how a health care provider’s designated HIPAA Compliance Official can find the right steps for each HIPAA compliance topic

Registration Link :            http://www.mentorhealth.com/control/w_product/~product_id=801205LIVE?wp_seo

5. Patient Privacy: HIPAA does not Touch what Matters

This webinar provides insight into the lived experience of patients regarding their privacy from their point of view

Registration Link : http://www.mentorhealth.com/control/w_product/~product_id=801251LIVE?wp_seo

6. HIPAA Compliance for a Practice Manager

After completing this course, a practice or office manager will have a clear understanding for what needs to be place when it comes to all of the HIPAA regulations.

Registration Link : http://www.mentorhealth.com/control/w_product/~product_id=801242LIVE?wp_seo

7. How to Conduct a HIPAA Security Risk Assessment

This course will cover the proper methodologies on conducting a HIPAA Risk Assessment based on the formula used by Federal auditors and via the guidelines of the NIST

Registration Link : http://www.mentorhealth.com/control/w_product/~product_id=801248LIVE?wp_seo

 

How does an organization design a risk management toolbox?

Designing a Risk Management Toolbox Requires Ingenuity

Absolutely any business, be it oil exploration or aviation, or healthcare or textile, comes with an element of risk, big or small. Risk is the probability of harm to a business or any or all of its processes. Risk is inherent in each and every activity a business undertakes. A risk can affect the time, cost, reputation, or cause market value to crash. The risk in some sectors such as healthcare could go all the way up to death of the patient.

How does designing a Risk Management Toolbox help?

Because it is not always possible, even for the most experienced professionals and leaders, to anticipate all the risks that accrue to a business during its entire lifecycle; it helps to design some kind of a template that lists out the possible risks in an activity.

This should be some type of checklist against which management can keep evaluating the risk that goes into every activity the organization undertakes. This is what may be considered designing a Risk Management Toolbox. Designing a Risk Management Toolbox is a challenging task for an organization, because of the sheer complexity associated with such a task.

So, how does an organization design a risk management toolbox? Designing a Risk Management Toolbox is not something that can be done at once and used for a lifetime. Having said this, designing a Risk Management Toolbox is still a practical step an organization can take to assess risk and take steps to mitigate them. It entails taking the fullest steps to understand the minutest cause and source of risk in every of the business activities.

Designing a Risk Management Toolbox requires having the insight to understand these sources. It also requires having the foresight to anticipate the nature and gravity of risk in the future. All this means that designing a Risk Management Toolbox is something that requires a high degree of ingenuity and farsightedness.

General principles that need to be kept while designing a Risk Management Toolbox

When designing a Risk Management Toolbox, an organization’s management needs to keep a few points in mind:

 

Keeping ISO standards in mind

ISO has a standard on risk management. It is contained in a series of standards that starts from the digit 3. Just like ISO 9000 is about processes; a few of the ISO standards in the ‘3’ series relate to ways by which organizations engaged in different types of businesses can go ahead with designing a Risk Management Toolbox that meets their individual business unique needs.

Designing a Risk Management Toolbox that is in accordance with ISO standards also ensures that the organization is compliant with regulatory standards and requirements.

Read More : https://www.mentorhealth.com/control/designing-a-risk-management-toolbox?wp_seo

Get More information about Risk Management

Is Your Medical Website HIPAA Compliant?

Every physician and medical administrator that we know is intimately—often, intensely—aware of HIPAA’s privacy and security rules. There isn’t a policy, procedure or process that isn’t carefully scrutinized as HIPAA compliant.

This isn’t legal advice, but healthcare professionals know that protected health information (PHI) and electronic protected health information (ePHI) need to be on the safe side of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services.

But, physicians and medical administrators also realize that, in an Internet-driven world, confidentiality, privacy, and data security are vastly larger, dangerous and more complex issues. What’s more, hospital data and medical records are attractive targets for cyber theft and ransomware attacks.

If regulations, compliance and digital security issues aren’t compelling enough to keep you awake at night, consider this: What if your website and digital presence are not HIPAA compliant? Many ordinary, and innocent appearing, healthcare websites are not secure, or inadvertently fail to safeguard all “individually identifiable health information.”

Being HIPAA compliant is vital to every medical website

Check with your own legal advisor, but here are some of the ways that medical websites, and HIPAA compliance, can be at risk:

Are files, storage, and transmissions secure? Data that is “in the open” (without encryption or SSL/Secure Socket Layer) is at risk. An important compliance checkpoint is having all sensitive material encrypted and secure, particularly when transmitted over the Internet.

Some forms can put you at risk. Generally, when a patient or prospective patient completes an online form—even elementary info such as name, phone number, email—it may be advisable to provide the data with the same level of protection as ePHI. More specifically, “individually identifiable” and “protected health information” is likely to meet the definition of electronic protected health information.

Social media can be a danger zone. Social media is a useful tool to talk about many things under the broad medical umbrella. That said, anything that is specific to an individual patient or identifiable info—even photographs—can violate personal privacy.

Use caution responding to online comments and review sites. It can be tempting to use specific, “he-said-she-said” replies to Internet-posted comments—especially negative mentions. It’s OK to be responsive, but a provider’s reply must avoid reference to a specific, identifiable or individual patient. Even acknowledging that someone is a patient would be inappropriate.

Your favorite iPhone or Blackberry is a target for theft. Mobile devices—a favorite among doctors—are compact and easily “snatch-able,” and that opens the door to cyber theft of stored or accessible information. What’s more, mobile devices themselves that are used to exchange doctor-patient communications may not be secure or HIPAA compliant.

Look for additional articles in this series…

There’s no question that compliance is vitally important for hospitals, group practices, and healthcare providers. In addition, medical websites are an important connection between the professional and the public. HIPAA’s privacy and security rules are a critical consideration. Check with your legal advisor and avoid compliance issues online.

Read More : https://www.healthcaresuccess.com/blog/internet-marketing-advertising/hipaa-compliant.html?wp_seo

How To Learn HIPAA’s Contingency Planning guidelines

Key Takeaway:

HIPAA has guidelines for meeting what should perhaps be the most important business requirement for healthcare organizations -contingency planning. These are aimed at helping healthcare organizations meet the core HIPAA requirement of ensuring integrity, security and privacy of Protected Healthcare Information (PHI).

HIPAA has a few important requirements and guidelines for contingency planning. These HIPAA contingency planning guidelines are a valuable guide to the healthcare industry. While formulating these requirements, HIPAA has based its thinking on the core aspects of risk management that most organizations in any sector would apply.

First, an understanding of contingency planning

Contingency planning is a crucial element of risk assessment. Contingency planning, as the term denotes, is the act of preparing the organization for emergencies, which can be of any kind. In management circles, contingency planning is often referred to as “Plan B”.

When organizations develop a contingency plan, they have to take several important factors into consideration. The most important points they need to keep involves thinking about

• What could likely happen?
• How do we plan to tackle these emergencies?
• How do we prevent these?

Applying the principles of risk management to HIPAA contingency planning guidelines

HIPAA contingency planning guidelines tailor these parameters to the healthcare industry. This is done keeping in mind its core intention of ensuring security and integrity of protected health information (PHI) and electronic protected health information (ePHI).

HIPAA contingency planning is the pioneer of standards relating to PHI, since before these, none of their kind existed. HIPAA contingency planning requires electronic health information security to define, document, and demonstrate ability, reason, and objectivity. This is the bedrock of HIPAA contingency planning.

HIPAA contingency planning has come out with these guidelines/requirements, which consist of these six fundamental components, which healthcare organizations are required to implement in the following sequence:

While these constitute Parts 1 to 5 of the Contingency Planning Process; further to these, Part 6 has more elaborate standards for meeting HIPAA contingency planning guidelines. Broadly, these are explained under:

• Assessment of the business impact analysis and risk
• A plan for disaster recovery
• Implementing the disaster recovery plan
• Testing of the disaster recovery plan
• Execution of the disaster recovery plan

Read More : https://www.mentorhealth.com/control/contingency-planning?wp_seo

TIPS FOR PASSING HIPAA AUDIT

Passing HIPAA audit is daunting task and to be compliant of hosting solutions to pass HIPAA audit several basic fundamentals need to be covered. Just to avoid the heavy fines and getting federal incentives were the major drive for the health care industry to accept the electronic medical record systems, as per the guidelines of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

For each Administrative, Physical and Technical safeguard that are few rules or standards that any covered entity needs to comply with. HIPAA audit signifies that a certified, independent auditor, audits the process, policies, hosting solutions and facilities. To pass an HIPAA audit you need to follow the following tips:

 

1] Document the data management- Documenting the data management, security, training and notification plans. This will give a clear access to the facts that have been collected and avoid its being leaked to outsiders.

2] Password policy to access- There should be a password access to any information that as been stored. All the information collected from the clients are confidential and only authorized personnel who know the password should be allowed to see the information.

3] Encrypted information- All the public health information (PHI) should be stored in encrypted form so that confidentiality is maintained. This includes all the information either in database or in server. Especially if the information is to be transmitted to third parties or other business associates it should be encrypted. The encryption technique and mechanism for the sensitive information should be known to  few people as it will be a step towards safeguarding it. Any information leading to identification of patients like images or scans should be encrypted so that they cannot be identified.

4] Avoid usage of FTP- Using public mode like FTP to transfer information should be avoided. Transformation of information should be done with private mode to maintain the security of public health information.

5] Login retry protection- There should be login retry protection in your application.

6] Save time resources by hosting with company that has Business Associate Agreement (BAA) in place- The files should be in place to help the auditor in audit task as then it can audited on your document rather than conducting a fresh audit. This will save a great deal of time and resources.

7] Mode to access- To get access to any sensitive data there should be SSL web based access. This will help in complying with the HIPAA standards.

8] Remote access- There should be VPN access for the remote access.

9] Plan a disaster recovery plan- This is dreadful situation yet to face it there should be proper documented plan for disaster recovery.As health care organization dealing with public health information you are liable to maintain the secrecy of information. Your IT department will help with the technology that helps to store and transmit patient’s information but for the successful compliance of HIPAA standards only you are accountable.

Get more information about Hipaa Audit

HIPAA Compliance Checklist and Employee Sanctions

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

• The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
• An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
• In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

 

A HIPAA compliance checklist for employee sanctions policies should address several issues

1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

How do Spectre and Meltdown Impact Healthcare IT Privacy?

Spectre and Meltdown are critical security vulnerabilities caused by mistakes in the way processor hardware is designed. Spectre and Meltdown exploit the same underlying vulnerability in chip design, taking advantage of a technique called speculative execution to gain access to data that would otherwise be private.

The technical details of Spectre and Meltdown have been discussed in-depth elsewhere, so in this article, I’d like to look at the practical consequences for healthcare organizations.

Spectre and Meltdown are everywhere
All unpatched servers are vulnerable because Spectre and Meltdown affect the vast majority of processors used in servers, including those manufactured by Intel, AMD, and companies that use ARM chip designs in their processors.

Clearly, this should worry healthcare organizations that are required to store data according to the privacy and security rules of HIPAA. Is that data at risk? The one-word answer to that question is yes, but it depends on how quickly your hosting provider or server admin team react.

Operating system developers, including Microsoft and the Linux kernel project, have released patches that work around Spectre and Meltdown. Chip manufacturers have released firmware patches that also mitigate the risk.

Responsible HIPAA-compliant server hosting providers have reacted quickly to patch their servers, but there’s a worry that less responsible hosting providers or healthcare organizations that manage their own servers may be slow to update, putting their businesses and their patients at risk.

How can Spectre and Meltdown be used against healthcare organizations?
The biggest danger is for healthcare organizations that use the cloud or shared hosting. In theory, a malicious actor with an account or virtual machine on the same server could run code which gives them access to data owned by other clients on the same server. Clearly, this would be a breach of HIPAA’s security and privacy rules, which mandate technical safeguards aimed at preventing third-parties from accessing Protected Health Information.

The really pernicious aspect of Spectre and Meltdown is that they can be used to bypass many of the protections built into HIPAA-compliant hosting. For example, if a healthcare provider has encrypted their data while it is at rest, that doesn’t necessarily mean it’s safe from an attacker. To be used, data has to be decrypted, and because Spectre and Meltdown can (in theory at least) be used to access data in the kernel’s memory space or the memory space of other processors, the decrypted data is at risk of being leaked.

The risk is lower for healthcare organizations that use dedicated servers. There is no risk of a hosting client running code that would allow them to access the data of other hosting clients using the same server, because dedicated servers are “owned” by a single client.

Even though the risk is lower, it doesn’t remove all potential sources of risk. Any situation in which a third party can run code on a server has the potential to be exploited. If an attacker were able to brute force a user account on the server, they might be able to access private information that would typically be inaccessible to that account. It’s also possible that remote code execution vulnerabilities in other software could be exploited by an attacker to gain local access and run Spectre and Meltdown code.

The only effective way to mitigate the risk posed by Spectre and Meltdown is to apply operating system and firmware updates to the affected servers. Healthcare organizations should ensure that any third-party hosting providers have applied the patches. Healthcare organizations that manage their own servers should update as soon as possible.

Carrie Wheeler is Chief Operations Officer and Head of Support at Liquid Web, a fully managed hosting company focused on web and cloud professionals. Liquid Web provides hosting solutions for everyone, including HIPAA Compliant Hosting.

5 Essential Steps to Ensure an Effective HIPAA Program

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to achieve a satisfactory level of HIPAA compliance at an organization can be a frustrating and daunting task. Sitting down looking at the rule can be overwhelming. Digging through the pages of information in a HIPAA manual or diving into the Federal Register can be impossible with all the other tasks assigned within a job. In addition, it is easy to want to sit down and solve the HIPAA compliance issue you have in one day or one week; however, this often leads to failure and inability to create a program that protects your patient information.

We don’t wake up one morning, decide to run a marathon and go out and accomplish the overwhelming 26.2 miles (well most of us). Normally if you are going to run a marathon, you find a training program that lasts 16-18 weeks, create a plan for cross training activities within your training program, and ask for support and help along the way. That concept and mindset can transferred to HIPAA compliance as well!

One of the most effective ways to properly implement a solid HIPAA program is creating an action plan for compliance and assigning small regular tasks to get through entire HIPAA regulation. It is very important that HIPAA is an on-going process within the organization. It is not just a ‘one and done’ type of regulation due to the nature of work that we do in healthcare and the vast changes within our technologies used.

To help with HIPAA Compliance – here are 5 Essential Steps that must be taken to achieve a solid HIPAA Compliance Program.

1. Conduct a Risk Assessment/Analysis – if you haven’t conducted a risk analysis recently, it might be a great idea to conduct one again soon. Make sure to have a risk analysis report that provides information on how the audit was conducted, what systems were evaluated and what the identified risks were. Remember – don’t stop there. You must create a risk management plan and mitigate and/or address all the risks identified.
2. Create, Review and/or Update all HIPAA policies and procedures – policies and procedures create the foundation for success with HIPAA compliance. Conduct a gap analysis on your policies and procedures. Look for policies that you may be missing or policies that don’t meet minimum compliance. Then ensure that your organization is following the policies you have created. Use the HIPAA audit protocol as a guide for the policies and procedures. It sets up expectations of what should be written in policies and procedures.
3. Provide Workforce HIPAA Education – educating your entire workforce becomes an essential step in HIPAA compliance. Your workforce should know and understand what HIPAA is and the processes and procedures that are established within your organization, including understanding where the HIPAA policies and procedures are stored and maintained.
4. Conduct regular HIPAA Audits – HIPAA established requirements for the regular audits to show HIPAA compliance with the regulation as well as understanding who is accessing what protected health information for what purpose. A strong HIPAA audit program can help reduce the risk of internal threats and external inappropriate access to systems. Additionally, it allows an organization to understand the areas where they might be out of compliance and make the appropriate actions to meet compliance.
5. Use Security Technologies – HIPAA doesn’t mandate the use of any specific technology; however, the use of technology can help support HIPAA compliance within an organization. An organization should working with the information technology department or information technology vendor to determine where security technologies can be used in assisting with HIPAA compliance. Some technologies may include encryption, intrusion detection software, or audit logging software.

Again, take the mindset of working a little one these tasks each week and eventually you will get there. Anyone can build a solid HIPAA compliance program that has all the necessary components of the regulations! Don’t wait – act now!

 

How to meet HIPAA Requirements When Working Remotely

In the last 10 years, the number of people telecommuting in the U.S. has increased by a staggering 115 percent.¹ Ever-evolving technology is making it easier for employees to work from home, saving a company as much as $11,000 annually per telecommuting employee. While there are several advantages of working remotely, there’s a monstrous risk for those that are obligated to comply with HIPAA: keeping clients’ protected health information (PHI) safe. Not convinced it’s a big deal? Health and Human Services Office for Civil Rights (HHS OCR) has levied hefty financial penalties when entities have failed to properly oversee and manage their telecommuters’ access and protection of PHI.

In 2015, Cancer Care Group agreed to a settlement of $750,000, after a laptop computer and backup drive were stolen from a telecommuting employee’s car. The laptop contained the PHI of more than 50,000 patients. OCR determined that prior to the breach, Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule – they failed to conduct an enterprise-wide risk analysis when the breach originally occurred. OCR also found that Cancer Care Group did not have a written policy regarding the removal of hardware containing PHI into and out of its facilities.²

A similar settlement cost respiratory medical group Lincare almost $240,000 when a remote employee breached the PHI of 278 patients by exposing and abandoning their sensitive information. The court ruled that Lincare did not have adequate policies and procedures in place to safeguard patient information that was taken off-site despite the fact that employees who worked in patients’ homes routinely removed PHI from Lincare offices. Lincare also had an unwritten policy that required certain employees to store PHI in their vehicles for extended periods.³ The trouble didn’t end there for the company. Last October, former Lincare employees filed a class-action lawsuit against the company. The employees claiming negligence with regard to their personally identifiable information (PII) and that identity theft could result from a Lincare data breach.⁴

How do you best protect your clients’ PHI when staff works remotely? What can you do to safeguard your organization from HIPAA violations? Total HIPAA has compiled a list of requirements you need to document and actions that need to take place that will protect you and your clients.

More info: https://www.totalhipaa.com/meeting-hipaa-requirements-working-remotely/?wp_seo