It’s All About (The) Ransomware Causes Allscripts EHR Breach, HIPAA Violations

Ransomware breaches are becoming commonplace in healthcare settings, and this most recent attack is just another part of that pattern.

Allscripts is an electronic health records (EHR) platform that provides services to hospitals, pharmacies, and ambulatory services across the country.

In late January 2018, Allscripts was hit by a ransomware attack that shut down its Professionals EHR and Electronic Prescriptions for Controlled Substances (EPCS), among other services. Of the thousands of physician practices, post-acute agencies, and hospitals that use Allscripts, 1,500 organizations were affected by the attack.

Now, an affected organization is looking to take legal action. Surfside Non-Surgical Orthopedics, based out of Boynton Beach, Florida, is an Allscripts client alleging that the EHR left them without access to critical services from the date of the breach on January 18 through January 24. Surfside will potentially launch a class-action lawsuit against Allscripts for insufficiently monitoring its data systems in the cloud, which failed to prevent this attack from impacting clients.

Ransomware and HIPAA: More than Just a Data Breach

The Allscripts case proves, more than anything, that ransomware attacks can have multi-faceted repercussions on any health care business.

Affected organizations will need to deal with the fallout of ransomware on their operations, which can shut down a business or practice for days until service or access is restored. And if any protected health information (PHI) was involved in the breach–such as names, address, or medical records–organizations will also need to deal with incident management as per HIPAA regulation.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on HIPAA and ransomware after a string of incidents in 2016. The guidance clarified that if a ransomware attack targets unencrypted or unsecured data, then the breach likely constitutes a HIPAA violation and must be reported.

When a breach occurs that affects more than 500 individuals, organizations are required, as per the HIPAA Breach Notification Rule, to notify those individuals within 30 days of the discovery of the breach. The breach must also be reported to HHS OCR on their breach-reporting portal, along with local law enforcement and news agencies. These breaches can escalate into HIPAA investigations and fines if OCR perceives that an organization has not made a good faith effort toward HIPAA compliance.

EHR Risks Only Growing…

Over the past few years, EHR platforms have been subject to greater risks than ever before. This is due in part to the value of health care data stored on these systems. PHI can sell for three to ten times more than financial information on the black market, which means that vulnerable health care data is low-hanging fruit for hackers.

Some industry best practices for maintaining the integrity of PHI, even if it’s stored on a cloud-based system such as an EHR, can be instituted in most practices. These safeguards include full disc encryption and off-site data back-up. It should be noted though, that even with these measures in place, health care professionals can only mitigate the affects of a malware incident, not fully prevent them from occurring in the first place.

If an organization has been targeted for a ransomware attack, these measures can ensure that operations and access to data continues to flow smoothly–no need to resort to pen and paper when data can be accessed from a secure, off-site back-up. But the data that’s been ransomed is still compromised, especially if that data was unencrypted.

Protecting Your Business

Using an EHR system is fast becoming a mandatory part of running a health care business. But that doesn’t mean you can’t prepare for future ransomware and data breaches right now. EHR and HIPAA compliance go hand in hand to protect your business.

As we mentioned above, off-site data back-up and full disc encryption are keys to maintaining the security and integrity of PHI.

But you can take it one step further and even protect your business from liability in the event of a data breach caused by your EHR by implementing a HIPAA compliance program in your organization. In addition to addressing the legally required regulatory standards of HIPAA, you can ensure that the data you share with your EHR provider is protected with a Business Associate Agreement (BAA).

A Business Associate Agreement is a legal contract required by HIPAA regulation, which must be executed between health care organizations before ANY PHI may be shared. In addition to being legally required by HIPAA, BAAs are a powerful tool your organization can use to protect yourself in the event of a ransomware attack or data breach caused by your EHR platform.

If you have yet to execute a BAA with your EHR platform, Implementing an effective HIPAA compliance program will give your practice everything you need to address the law, including fully documented BAAs.

HIPAA compliance gives your business the tools you need to maintain the security, privacy, and integrity of your PHI to avoid being exposed to HIPAA breaches and fines!

De-Identification of PHI under HIPAA

As health information grows, sharing it among healthcare providers and researchers is necessary for providing and advancing healthcare services and healthcare research. But the Health Insurance Portability and Accountability Act (HIPAA) of 1996 severely limits how Protected Health Information (PHI) can be shared. It also has restrictions regarding how to protect it when it is shared.

One way of legally sharing PHI is to de-identify the information. Once PHI has been de-identified, it is no longer protected under HIPAA and may be shared freely without limitation. Information that is properly de-identified may be shared in some cases, and this kind of information is easier to share.

De-identification has to be done diligently

Yet, de-identification is not easy, and if it is not done correctly, the sharing of the information may be considered a breach that requires reporting to HHS and carries the potential for penalties and corrective action plans. Any information that gets released without getting properly de-identified can result in fines and corrective action plans that can run into the millions of dollars. It is hence necessary to ensure that the resulting information is truly de-identified and its use or disclosure will not result in a reportable breach under HIPAA.

Despite the strict controls imposed by HIPAA, a few loopholes such as the patient’s initials, may make it possible to guess vital information about the patient. It is to avoid a scenario such as this that the right process needs to be followed to ensure that data that is shared is shared appropriately, either as identifiable information, as a partially de-identified Limited Data Set, or as properly de-identified information.

Detailed learning on all the areas of de-identification

Clarity on these vital areas will be offered at a webinar that is bring organized by MentorHealth, a leading provider of professional trainings for the areas of healthcare. Jim Sheldon-Dean, who is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities; will be the speaker at this session.

Please visit to gain valuable guidance on the crucial aspect of de-identification of PHI under HIPAA.

Jim will explain the guidance from the HHS Office for Civil Rights (OCR) and from the National Institute of Standards and Technology (NIST) on how to properly de-identify health information. He will explain the various needs for de-identified information and examine the typical questions that are covered in the guidance. The aim of this discussion is to provide a sound, defensible basis for an organization’s decisions and processes surrounding de-identification of PHI.

Commonly used procedures for de-identification

Commonly used procedures for de-identification of Protected Health Information include:

• Removing all eighteen of the listed identifiers or anything else that might be used to identify the individual about whom the information exists
• Getting an expert to certify that the information is not identifiable.

Even these steps are not foolproof. More scrutiny is needed to be sure the data cannot be identified. Jim will show the specific steps that a healthcare provider must go through to ensure that de-identification of PHI is carried out properly. He will help the participants explore the concepts and methods of de-identification and many of the typical questions that arise.

The following areas will be covered at this session:

• De-identification and its Rationale
• The De-Identification Standard
• Preparation for De-identification
• Guidance on Satisfying the Expert Determination Method
• Who is an expert, how do experts assess the risk of identification of information, what are the approaches by which an expert assesses the risk that health information can be identified, and what are the approaches by which an expert mitigates the risk of identification of an individual in health information
• Guidance on Satisfying the Safe Harbor Method.

Fill the form to get more HIPAA PHI Updates

HIPAA’s guidelines need to be understood to prepare for, prevent, respond and recover ransomware

Ransomware is dangerous and malicious software that infects the operating systems of computers that are vulnerable. It blocks access to files, and demands a ransom for releasing it. After the ransom is paid, usually in the form of virtual cash, through means such as Bitcoin, the block may be released. Many ransomware attacks, like ransom seekers in real life, blackmail and harass the victim for prolonged periods of time. Sometimes, ransomware can block the user’s access to the entire device.

This is how ransomware usually spreads within networks: It appears as a seemingly innocuous mail, asking users to carry out the simplest of tasks such as opening attachments to get a surprise. Of course, most unsuspecting users would not be aware of the magnitude of such a surprise.

Once the user does this in anticipation of a ‘reward’; utter chaos could follow. The ransomware can cause disruption in entire affiliated networks. To set the whole damage right; it could take colossal efforts, lots of time, and unspeakable stress and tension.

HIPAA has guidelines on how to deal with ransomware

It is but natural that there is a high degree of unease and anxiety among people in the US who deal with computer networks, given the extent to which the recent WannaCry ransomware attack spread panic over most parts of Europe and in other locations. Healthcare providers in the US are all the more worried because this ransomware attacked the National Health Service systems in the UK in particular. That they could be the next target is a strong possibility, which is why most healthcare providers need to take major steps to prevent such a ransomware attack. In fact, this recent WannaCry attack is only the latest in a series of attacks, of various types, on healthcare records. An extremely high number of over 100 million medical records were targeted in more than 250 different cyber incidents in the year 2015 alone.

Measures suggested by HIPAA

In view of these facts, and given its primary responsibility of ensuring the security, integrity and availability of medical records; HIPAA has come up with security measures aimed at preventing and countering these attacks. Predictably, these measures are pretty strong and stringent. The HIPAA Security Rule makes it a requirement from Business Associates and Covered Entities to carry out these tasks to check ransomware attacks:

• Training needs to be imparted to users, consisting of both staff and the patients, on how to spot malware
• Putting a security management process in place, the centerpiece of which is carrying out a Risk Analysis to identify the threats and to mitigate risks
• Discussing the nature and enormity of the problem with patients and educating them on what they can and need to do to prevent attacks
• Limiting the access to records and any sensitive information they contain
• Taking appropriate data backups
• Conceiving and implementing a disaster recovery program
• Reporting and implementing security incident responses as laid out in 45 CFR 164.308 (a) (6)

Effectiveness of these measures is difficult to assess

All the diligence on the part of the HHS notwithstanding; it has a long way to go in implementing HIPAA rules on ransomware. What does it do when, for instance, a PHI is never accessed? How does it term such an action as a breach of data security, when its own rules clearly state that reporting should be done only when there is a breach? What this means is that while some cases of PHI data breach get reported, many more don’t.

Education on how to deal with ransomware

A webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry will set all these doubts at rest. The speaker at this webinar, Paul Hales, an expert on HIPAA Privacy, Security, Breach notification and Enforcement Rules with a national HIPAA consulting practice based in St. Louis, will show how to put these measures as required by HIPAA.

Please register for this webinar . This course is approved for 1 general credit from the Nevada Board of Continuing Legal Education.

At this webinar, Paul will explain everything relating to ransomware. The learning includes topics such as the HIPAA rules that relate to ransomware, what kind of “social engineering” tricks hackers use to fill ransomware into systems, how an organization can prepare itself when it is subjected to a ransomware attack, and best practices for preventing, preparing, responding and recovering from attacks.

He will also cover other areas at this webinar, and these include:

• How to do a HIPAA Breach Risk Assessment to determine if a Ransomware attack resulted in a HIPAA Breach – or not – if the assessment demonstrates a low probability of compromise to PHI
• What the HIPAA Breach Notification Rule requires when a Ransomware attack does result in a Breach of Unsecured PHI
• The interconnected roles and responsibilities of Covered Entities and Business Associates under the HIPAA Breach Notification Rule concerning Ransomware attacks

Preparing for HIPAA Enforcement

It goes without saying that preparing for HIPAA enforcement is of crucial importance to organizations. The reason: Last year saw a spike in the settlement payments ordered by HIPAA. There were as many as seven settlements of a value of over $1 million each. Of these seven, one was for $5.5 million, another was for $3.9 million, and yet another for $2.75 million. These constituted a part of a dozen or so overall resolutions settlements. These results point to the fact that HIPAA is continuing to crack the whip as far as enforcement is concerned. This calls for a greater level of vigilance and due diligence from Covered Entities and Business Associates in meeting HIPAA regulations on Protected Health Information (PHI).

HIPAA compliance is important for many other reasons

HIPAA compliance involves two main aspects: A) Making sure that the Covered Entity and the Business Associate provide the proper patient rights and controls on how they will use and disclose PHI; and B) Putting in place proper policies and procedures. These actions show the authorities that the CE’s and BA’s have all the necessary documentation in place for safeguarding patient PHI. They also demonstrate the way in which these entities addressed all required security safeguards if they are audited or become the subject of a compliance review.

Learning on how to ensure HIPAA compliance

How do organizations do this? How do they show the HHS that they have the right procedures and processes in place to ensure safeguarding of PHI? The answers to these questions will be provided at a webinar that MentorHealth, a leading provider of professional trainings for the healthcare industry, is organizing. Jay Hodes, who is President of Colington Security Consulting, LLC, which provides HIPAA consulting services for healthcare providers and Business Associates, will be the speaker.

In order to understand the proper and thorough means by which organizations can ensure the protection of health information and to ensure that they take all the steps necessary for preventing data breaches; please enroll for this webinar. Needless to say, a thorough and complete understanding of the fundamentals of HIPAA and the ability to explain and demonstrate the organization’s compliance program is the starting point for all these. The aim of this valuable learning session is to impart a clear and proper understanding of how healthcare practices, businesses, or organizations need to prepare given the increase in recent HIPAA enforcement and to make sure their current safeguards are adequate and can withstand government scrutiny. This course is approved for 1.5 general credits from the Nevada Board of Continuing Legal Education.

Learning for those involved in protecting patient health data

Anyone involved in PHI and other aspects of HIPAA implementation, such as Compliance Officers, HIPAA Privacy Officer, HIPAA Security Officers, Medical/Dental Office Managers, Practice Managers, Information Systems Managers, Chief Information Officers, General Counsels/Lawyers, Practice Management Consultants, or any Business Associates that accesses Protected Health Information and IT companies that support Medical/Dental Practices or other Healthcare organizations, will gain immensely from this session.

At this informative and interactive course, Jay will cover the following areas:

• Why was HIPAA created?
• What are the HIPAA Security and Privacy Rules?
• What is a HIPAA Risk Management Plan?
• What is meant by “Required” and “Addressable” Implementation Specifications?
• What are Administrative, Technical, and Physical Safeguards Requirements?
• What is a HIPAA Risk Assessment?
• What are HIPAA training requirements?
• How to prevent HIPAA data breaches from occurring
• What are the penalties and fines for non-compliance and how to avoid them?
• Preparing for increased enforcement HIPAA enforcement
• HIPAA Violation Case Examples
• Questions.

 

Avoiding common HIPAA pitfalls

Despite the many legal requirements set out in HIPAA aimed at ensuring compliance and avoiding penalties and other punitive actions from the HHS; businesses in the healthcare industry are still making many serious mistakes. These are mainly a result of false assumptions, because of which Business Associates end up being noncompliant in a big way.

Some of the major fallacies they commit include:

• Having processes that are not strong enough
• Not employing the right technologies
• Avoiding a risk assessment

Leaving the systems weak and vulnerable

As a result of such actions, electronic PHIs become more and more vulnerable. Innumerable risks are created among Covered Entities, their Business Associates and subcontractors.

It goes without saying that these activities are undesirable and need to be checked. What are the steps that Covered Entities, their Business Associates and subcontractors, and other businesses in the healthcare industry need to take in order to meet HIPAA compliance requirements and avoid penalties?

Learn HIPAA compliance from the high priest of IT security 

This is the learning a highly insightful webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry, will be offering. The speaker at this session, which will offer extremely useful and perceptive learning, is Kevin Beaver, the acknowledged guru of HIPAA compliance. Kevin is the author of the highly popular book on HIPAA compliance: The Practical Guide to HIPAA Privacy and Security Compliance

In addition, he has also authored or coauthored as many as 11 books, including bestsellers such as Hacking For Dummies, apart from others such as Point-of-Sale Security For Dummies, Hacking Wireless Networks For Dummies, Next-Generation IPS For Dummies, PCI Cardholder Data Protection For Dummies, Securing the Mobile Enterprise For Dummies, and Laptop Encryption For Dummies. Another 37 whitepapers embellish his CV.

There is virtually no role relating to IT security that Kevin has not played in the 28 years of his career as information security consultant, writer, professional speaker, and expert witness, the last 22 of which have been dedicated solely to information security.

To derive the benefit of learning from the honcho of IT security and to ensure that your HIPAA compliance is absolutely up to the mark; please enroll for this webinar. This webinar has been approved for 1 general credit from the Nevada Board of Continuing Legal Education.

Knowledge for everyone related to HIPAA Security

Quite predictably, people in positions relating to HIPAA compliance, such as Chief Operating Officers, Chief Compliance Officers, Medical Practice Owners, Risk Officers, IT/Security Administrators and Managers, Business Associate Executives and Subcontractors will derive immense benefit from this valuable course.

Kevin will cover the following areas at this webinar:

• Why information security is as big a deal as ever
• Even with all the HIPAA, HITECH, and Omnibus Rule regulations, why we’re still seeing breaches
• 10 steps for understanding, resolving, and minimizing business risks over the long haul-regardless of how your business operates within the healthcare industry

In all, the speaker at this webinar will impart the knowledge gained from the many years of being in IT security to familiarize participants with the specific steps they can take to meet HIPAA compliance requirements. He will also show participants how to implement a solid information security program in place without having to spend more time and other resources than is necessary.

Overcoming the pain of HIPAA enforcement

In many years that it has been in existence, one of the noticeable changes that HIPAA has undergone is in its attitude. The earlier phase of advice and counseling has now given way to hardboiled and unforgiving enforcement. The Office of Civil Rights (OCR) no longer uses the cajoling and persuasive method. It wants to impose super harsh penalties on healthcare organizations which violate its rules.

For starters, healthcare organizations have to reckon with new, ominously higher fines, which include mandatory minimum fines of the order of $10,000 for those who are willfully neglectful in their compliance. This is in tune with its decision to raise the importance of HIPAA enforcement through audits. Simply no entity that comes under the scanner of the OCR and is required to carry out a HIPAA audit can afford to relax. Their turn for audit or compliance review can come up anytime.

If with all these changes into HIPAA; an entity that is subject to HIPAA compliance, such as a Covered Entity or its Business Associate and related entities do not take the necessary steps to protect their patients’ rights and health information in accordance with what is required under the HIPAA Privacy, Security, and Breach Notification Rules; they have to face the prospect of being slapped with heavy penalties, which, as mentioned above, start at $10,000 in cases of willful neglect. Covered Entities and Business Associates have to implement the privacy requirements, have to provide good information security, and be in overall compliance.

Learn from the guru of HIPAA compliance

How do Covered Entities and Business Associates and all those that are connected with HIPAA enforcement activity attain compliance? The text in HIPAA is confounding to many professionals. Many words are complex and ambiguous, making its comprehension and interpretation difficult.

It is to help those associated closely with HIPAA enforcement, such as Compliance Directors, CEO, CFO, Privacy Officers, Security Officers, HIPAA Officers, Chief Information Officers, Health Information Managers, Healthcare Counsel/lawyers and Office Managers that MentorHealth, a highly regarded provider of professional trainings for the healthcare industry, will be organizing a learning session.

At this webinar, senior HIPAA compliance professional, Jim Sheldon Dean, who is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm, which he founded in 1982, will give a complete roundup of HIPAA enforcement and the ways in which the provisions of this legislation need to be complied with. The aim of this webinar is to help participants overcome the difficulties and complexities associated with HIPAA compliance. To enroll for this highly valuable learning session, please visit

http://www.mentorhealth.com/control/w_product/~product_id=801012?/Wordpress-SEO

A complete learning session on all the aspects of HIPAA enforcement

Jim will explain the HIPAA enforcement actions that have taken place, which will help participants to understand why the enforcement took place. It will also help them analyze what could have been done to prevent the incident that led to the enforcement. He will help them assess the unmet requirements and make them understand what they need to do to ensure that the proper policies, procedures, training, and documentation of their application are in place, so that they can prevent problems and limit the organization’s exposure in incidents.

This kind of learning is vital when one takes a look at the kind of violations that HIPAA has zeroed in on. Which Covered Entity or Business Associate, would have thought that seemingly mundane and harmless actions as returning copiers to the leasing company without removing the PHI on the hard drive, moving offices without accounting for hard drives stored in a closet, or improperly disposing of printed materials could invite penal actions from HIPAA?

With proper guidance, actions such as these or others that invite penalties from the OCR can be undertaken. Jim will seek to provide learning on these aspects to the participants of this webinar. He will cover the following areas at this session:

• The HIPAA Privacy, Security, and Breach Notification regulations (and the recent changes to them) and how their compliance will be evaluated in enforcement circumstances
• Recent changes to the HIPAA enforcement regulations that increase fines and create new penalty levels, including new penalties for willful neglect of compliance that begin at $10,000
• The information and documentation that needs to be prepared in advance so that you can be ready for an enforcement review or an audit without notice
• The results of prior HHS enforcement actions and audits (and their penalties), including recent actions involving multi-million dollar fines and settlements
• Questions asked in prior audits and enforcement reviews
• Identification of weaknesses in organizational compliance
• Future threats to the security of patient information
• The importance of a good compliance process to help you stay compliant more easily.

HIPAA implementation should be grasped from an insider’s perspective

Carrying out HIPAA implementation is something a Covered Entity or a Business Associate has no choice about. To carry out this mandatory activity, the most important requirement is getting a proper grasp of how to carry out HIPAA audits. As is known in the industry circles, carrying out HIPAA audits is a big task for even the most seasoned professional in the healthcare industry.

The main reason for which Covered Entities and Business Associates consider HIPAA implementation difficult is because of the nature of HIPAA audits. HIPAA contains words that are subjective and confusing. So, getting a grasp of the nuances and subtexts and their intended meanings is very essential for a Covered Entity and a Business Associate in order to get their HIPAA implementation right.

Varied kinds of penalties

When one takes a look at the kind of penalties imposed already in 2017; the need for understanding how to get HIPAA implementation right becomes all the more acute. As recently as in the last week of April 2017, the OCR announced a HIPAA settlement of the order of $ 2.5 million on CardioNet, a Pennsylvania-based provider of remote mobile monitoring and rapid response to patients with cardiac issues.

Its fault: it did not take sufficient care to prevent an employee’s laptop, which contained the health records of nearly 1400 patients, from getting stolen. The investigation by OCR concluded that CardioNet had not carried out Risk Analysis properly and had not put the right risk management processes in place at the time the theft took place. This is just one instance of an entity not taking the required steps for HIPAA implementation. There are many others that have attracted similar and even higher penalties for a variety of reasons.

OCR has been tightening HIPAA implementation audits

All these apart, the allocation in the federal budget for the office of civil rights has gone up by 10 percent for 2017 over the previous year. What does this mean? It makes the OCR’s scrutiny and vigilance of Covered Entities and Business Associates even tighter than it was before, since the OCR has announced that it will be using these extra resources to improve and streamline the tools they use for vigilance and to also adapt newer, more advanced technologies into healthcare IT infrastructure.

All these actions are the result of the reinvigorated Phase 2 HIPAA audits, which the OCR started in March 2016.

Get trained on how to get HIPAA implementation right

A look at all these cases makes it clear that it is absolutely necessary for Covered Entities and Business Associates, as well as all those involved in one or another way with HIPAA audits, such as Practice Managers, Business Associates who work with medical practices or hospitals (namely billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc.), and MD’s, and other medical professionals, to get all the aspects of their HIPAA implementation completely right.

The in-depth knowledge needed for understanding and getting HIPAA audits right is the learning outcome of a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry. Brian L Tuttle, a senior Compliance Consultant & IT Manager at InGauge Healthcare Solutions, will be the speaker at this webinar, to enroll for which, all that is needed is to visit

https://www.mentorhealth.com/control/w_product/~product_id=801002?/Wordpress_SEO

As someone who has been on both sides of the audits, Brian will explain the way real life audits are conducted by the federal government for phase 2 and beyond. He will explain just what the highest risk factors for non-implementation are, some of which may even cause people to chuckle. He will explain what practice or business managers or compliance officers need to do if they have to get their HIPAA audits right. Also taken up will be the major changes under the Omnibus Rule and any other applicable updates for 2017.

Brian will mainly seek to clear the misconceptions and myths about this often misunderstood law. He will teach participants the way to put a HIPAA compliance program in place. He will also explain the dos and don’ts of HIPAA Omnibus, among many other issues related to this topic.

The following areas will be covered at this session:

• Updates for 2017
• Requirements of Compliance Officers
• Audit Process
• What can cause an audit
• How to avoid audit
• What to do in the event of an audit
• How to speak and deal with Federal auditors
• Risk Assessment
• Best resources

 

Dental practices too need to be HIPAA-compliant

HIPAA Security Rule mandates the implementation aspects of how the technical, administrative and physical safeguards must be in place for securing Protected Health Information (PHI). This is applicable to dental practices, as well. Dental practices thus need to understand the ways by which to put these safeguards in place to meet HIPAA Security Rule compliance requirements.

The Privacy, Security, and Breach Notification rules set out by HIPAA apply to a dental practice that meets what HIPAA defines as a Covered Entity.  Those dental practices that are deemed Covered Entities are required to take steps aimed at compliance with the HIPAA Security Rule requirements. Dental practices have to comply with HIPAA requirements when it comes to almost all areas.

They are required to:

• Thoroughly read and understand all of the requirements
• Create a HIPAA compliance team
• Create policies and procedures
• Train workforce members
• Perform a risk assessment
• Comply with the rules related to how to delegate tasks
• Make compliance an ongoing activity.

HIPAA compliance is an ongoing activity

HIPAA concedes and states that achieving and being in a state of compliance is a very important activity that has to be performed consistently, and into which dental practices need to invest significant resources in the form of people and time, in addition to many others along the way.

HIPAA also has elaborate rules on activities such as taking appointment with a HIPAA Privacy Official or a HIPAA Security Official for dental practices that come under the HIPAA’s definition of a Covered Entity. More interestingly, a dental practice has to ensure that conversations about the dental condition between patients and their accompaniers do not get overheard by other patients sitting for their turn in the dental clinic!

Learn the ways of implementing HIPAA compliance in dental practices

In addition to complying with all the requirements in detail; dental practices have to also deal with many subjective, interpretative gray areas of the HIPAA Security Rule. Considering these stringent requirements, being in compliance with HIPAA is a challenge and a complexity for dental practices that come under the definition of Covered Entity.

Clearing the difficult areas of HIPAA compliance for dental practices is the intention of a highly valuable webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. At this webinar, the highly experienced healthcare professional, Jay Hodes, who is president of Colington Security Consulting, LLC, and has over 30 years of combined experience in risk assessments, site security evaluation, regulatory compliance, policy and procedures assessments, and federal law enforcement management; will be the speaker.

Want to derive the benefit of this rich experience that Jay brings into HIPAA compliance? All that you need to do is to enroll for this webinar by visiting

http://www.mentorhealth.com/control/w_product/~product_id=800974/?Wordpress-SEO

Ensuring if the HIPAA compliance program is sufficient

The aim of this session is to equip participants with the knowledge needed to understand if their HIPAA compliance program is sufficient for meeting the requirements set out in this Act and for withstanding governmental scrutiny. Jay will familiarize participants of this webinar with the implementation aspects relating to administrative, technical and physical safeguards which are required under the Security Rule. He will also cover important related aspects such as overall best security practices for PHI and how HIPAA Privacy Rule relates to the following:

• Patient’s rights
• Access to medical records
• Disclosures and best practices to safeguard personal health information.

Jay will cover the following areas at this session:

• Understanding what are the HIPAA Security and Privacy Rules
• Understanding the entire HIPAA compliance process from the start to ongoing requirements
• What is a HIPAA Risk Assessment?
• What are HIPAA training requirements?
• What is a HIPAA data breach, how to avoid one, and what happens if one does occurs
• How to create a Culture of Compliance in your dental practice
• Q&A.

The criticality of medical necessity to coding

Medical necessity is often the difference between an allowed and a disallowed medical claim. This sums up the criticality of medical necessity. In the absence of a clearly mentioned cause of medical necessity, a claim is not likely to get approved. Why is this so? It is because a medical necessity is the decider in helping to determine why a certain medical service was needed. The most important rule for allowing medical claims is that there must have been a medical necessity for a procedure or treatment, and there should be no mismatch between the diagnosis and the procedure.

Often, coders make mistakes in not writing the right code. A wrongly entered code can be a reason for which a medical claim is denied. While mentioning the wrong diagnosis and treatment is a solid reason for the denial of a medical claim; the role of wrong coding is no less impactful. A patient may have come to have a broken rib sustained at an accident repaired, and the same accident may have also resulted in an elbow injury. When a wrong code for diagnosis is entered, then there is every chance that the claim for one of these injuries will get rejected.

The world of coding is quite complex. The ICD-10 has many complex codes, understanding of each of which in all its depth is absolutely necessary. Many a time, a coder could make an assumption about the diagnosis, the result of which is the wrong diagnosis code is entered. This may be a mistake on the part of the coder, but it is the responsivity of the patient to verify this, because the onus of ensuring this lies with the patient.

Learn more about how to get medical necessity coding right

A webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry, will offer valuable insights into how to avoid the costly errors of entering the wrong diagnosis code, which will go a long way in resulting in a claim denial.

At this webinar, Laura Hargraves, a senior professional in the field of healthcare, bringing about three decades of experience, will be the speaker. Interested in gaining sharper insights into the areas of medical necessity in coding? Then, please register for this webinar, by visiting

http://www.mentorhealth.com/control/w_product/~product_id=800949LIVE/?Wordpress-SEO

The OIG has been increasing its oversight

Of late, the Office of the Inspector General (OIG) has been carrying out audits with renewed vigor to determine if there has been any misuse of healthcare funding. Among the areas it has been focusing on are Hospitals, Skilled Nursing facilities and Home Health Care, where it wants to investigate if admissions and readmissions, and stay at such facilities for treatment were really warranted. It has found many cases of improper or unconvincing documentation of Medical Necessity. In such cases, Managed Care companies will deny coverage. A medical organization that does not show proper evidence in the form of documentation risks losing payment or reclamation of payment.

Documentation is the soul of medical necessity

At this webinar, Laura will offer show to participants how they can give the information they need for supporting their documentation efforts, which really is the heart of demonstration of medical necessity of services.

At this webinar, she will discuss an often overlooked area: The significance of the medical coding from Hospitalization to Home Care and the skilled nursing facility between. With the new coding guidelines for ICD-10 kicking in, knowing how to put documentation to the right use is of vital importance. This is because of the reason mentioned earlier, that of the need to match and document the services offered with the correct coding. Laura will give an understanding of how to do this important task.

Closer scrutiny

She will do this by looking at how the staff completes documentation, at the wording used, and what kind of supportive documentation is got from all departments. A close scrutiny of these items will help to understand and focus on the weak areas of documentation and continue to improve in areas that are functional but not optimal.

It is only when Medical Necessity is demonstrated that services are optimized. The way to reduce the risk of being denied claims is to ensure that departments’ documentation is supportive of the medical necessity of the services being provided.

At this webinar, Laura will cover the following areas:

• How is Medical Necessity Defined?
• Documentation needed to demonstrate Medical Necessity
• Rational behind documentation supporting coding
• Necessity for documentation to show progression of medical changes
• Interdepartmental documentation to show medical need for services.

HIPAA compliance in 10 easy steps

The Health Insurance Portability and Accountability Act (HIPAA) sets out the standards which Business Associates and Covered Entities have to comply with, in order to ensure security of Protected Health Information (PHI). An organization that deals with PHI should make sure that it has taken all the security measures relating to the physical, network and process to ensure PHI’s security.

Business Associates and Covered Entities are the main players in HIPAA compliance. A Business Associate is one who has access to patient information and is involved in providing support in any of these areas: treatment for the patient, payments or operational aspects.

Covered Entities are those who provide treatments to patients or are involved in payments or operations. The associates through whom Business Associates get their work done, namely subcontractors, also come under the provisions of the HIPAA and must comply with them.

The acute need for HIPAA compliance

Why is compliance with the provisions of the HIPAA necessary for Business Associates and Covered Entities? Apart from helping them to meet the main intent of HIPAA, namely ensuring data privacy; compliance with HIPAA is necessary also for the reason that data breach is taken very seriously and is handed severe penalties.

A webinar that will unravel the complexities of HIPAA compliance for Business Associates and Covered Entities is being organized by MentorHealth, a very well-known provider of professional trainings for the healthcare industries.

Jim Sheldon Dean, who is Director of Compliance Services at Lewis Creek Systems, LLC; a Vermont-based consulting firm that has been providing information privacy and security regulatory compliance services to healthcare firms and businesses throughout the Northeast and nationally since its establishment in 1982, will be the speaker at this power packed webinar.

Attendance at this highly educative and valuable session will be of immense help to those involved in HIPAA compliance. All that is needed to participate in this valuable learning session is to visit

http://www.mentorhealth.com/control/w_product/~product_id=801009?/Wordpress and register.

Clear explanation of HIPAA compliance in 10 steps

Jim will set out a clear 10-step HIPAA compliance process for Business Associates and Covered Entities. During these 90 minutes, Jim will compress 10 days of learning to set out the 10 steps for HIPAA compliance. This training session will condense how to use these as a foundation for the longer version of HIPAA compliance. It will summarize HIPAA compliance in 10 easy and clear, abridged steps.

These are what Jim will offer by way of instruction at this 10-step HIPAA compliance process:

Step One: Researching how to use PHI and understanding what policies and procedures are in place for Privacy, Security, and Breach Notification

Step Two: An understanding of the limitations on uses and disclosures of PHI that Business Associates have to establish according to the Privacy Rule

Step Three: Patient Rights under HIPAA

Step Four: HIPAA Risk Analysis

Step Five: HIPAA Security Safeguards, at which the ways of understanding and implementing physical, technical, and administrative safeguards are imparted

Step Six: HIPAA Security and Breach Notification Policies and Procedures

Step Seven: The proper way of documenting policies and procedures, at which the Business Associate or Covered Entity can show compliance

Step Eight: Training the staff on the policies and procedures related to HIPAA sections on privacy, security, and breach notification

Step Nine: Verification and audits of compliance, which includes HIPAA Privacy, Security, and Breach Notification compliance that should be implemented and regularly evaluated for ensuring that policies are being followed and systems are secured

Step Ten: Long Term Compliance Planning and Risk Management.

In the course of explaining these 10 steps to HIPAA compliance, Jim will cover the following areas:

• Find out how to relate your office’s activities to the regulations
• Learn what are the ways you can share information under HIPAA, and the ways you may not
• Find out about HIPAA requirements for access and patient preferences, as well as the requirements to protect PHI
• Learn how to use an information security management process to evaluate risks and make decisions about how best to protect PHI and meet patient needs and desires
• Find out what policies and procedures you should have in place for dealing with e- mail and texting, as well as any new technology
• Learn about the training and education that must take place to ensure your staff uses e- mail and texting properly and does not risk exposure of PHI
• Find out the steps that must be followed in the event of a breach of PHI

Learn about how the HIPAA audit and enforcement activities are now being increased and what you need to do to survive a HIPAA audit.

Patient rights to access to their medical records under HIPAA

Patient rights to access to their medical records are a major part of HIPAA. One of the highlights of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which was created to ensure continuity in the health insurance protection of employees who lose jobs or are in the process of changing them, is the ease of access it gives to patients of their health information.

The rationale for allowing patient rights to access to their medical records under HIPAA is that it should help them manage their conditions better. They can carry out or contribute to a number of useful activities such as:

• Being able to better monitor their present or past chronic conditions
• Complying with the treatment courses and plans being carried out
• Detecting and correcting inaccuracies and blunders in their health records
• Being able to monitor the progress they make in disease or wellness management programs
• Being able to directly contribute to health research by sharing their health information with genuine users.

To empower patients

The HHS believes that the idea of equipping patients with rights to access their medical records under the HIPAA is to place them “in the driver’s seat” and make the whole health system patient-friendly. Another rationale for giving patients rights to access their medical records under HIPAA is that it wants patients to fully utilize the technologies that have gone into the healthcare records system.

At the heart of patient rights to access to their medical records under HIPAA is the ability given to patients to obtain a copy of their medical information. This right sits at the core of an assortment of rights given to patients to access their medical records under HIPAA. This is the General Right given to patients that requires Covered Entities and to hand over a copy, upon request, of the patient’s Protected Health Information (PHI) in one or more “designated record sets” maintained by the Covered Entity or a Business Associate on its behalf.

Unfettered General Right

Patient rights to access to their medical records under HIPAA requires the Covered Entity or Business Associate to provide PHI to the patient, when requested, irrespective of when the record was created, the form of the record, viz., electronic or paper, and the source of the record, i.e., the patient, the Covered Entity, or another provider.

The whole aspect of patient rights to access to their medical records under HIPAA needs to be fully grasped if the healthcare provider has to avoid causing a breach. A breach, as we know, is taken very seriously by the HHS. It attracts heavy penalties. It is not just advisable, but mandatory for them to have complete knowledge of patient rights to access to their medical records under HIPAA.

A thorough learning on patient rights to access to their medical records under HIPAA

The ways of understanding and ensuring patient rights to access to their medical records under HIPAA will be the topic of a webinar that is being organized by MentorHealth, a provider of professional trainings for the healthcare industry. This webinar will have Jay Hodes, president of Colington Security Consulting, LLC, which provides HIPAA consulting services for healthcare providers and Business Associates, as speaker.

Registering for this webinar at http://www.mentorhealth.com/control/w_product/~product_id=800901/?Wordpress

will give a proper understanding of patient rights to access to their medical records under HIPAA. Jay will give a proper grasp of patient rights to access to their medical records under the Privacy Rule of the HIPAA. This thorough information is very vital for organizations whose job entails maintaining, creating, transmitting or storing PHI.

At this session, Jay Hodes will cover the following areas:

• Why was HIPAA created?
• Who Must Comply with HIPAA Requirements?
• What is the HIPAA Privacy Rule?
• What is Protected Health Information?
• What are Permitted and Authorized Disclosures?
• What are Rights do Patients have under HIPAA?
• What is a HIPAA data breach and what happens if it occurs?
• What are the penalties and fines for non-compliance and how to avoid them?

Avoiding amorous relationships in a healthcare setting

Avoiding amorous relationships in a healthcare setting is of crucial importance in the healthcare industry if the reputation of the healthcare provider has to remain intact. People in senior positions in the medical profession, such as faculty and supervisors exercise considerable authority and power over people that they supervise.

It is thus necessary for those in supervisory positions in a medical practice, clinic, hospital or university setting to show utmost constraint in their behavior towards those over whom they have supervisory responsibilities and avoid amorous relationships in a healthcare setting.

A clear definition of terms

Laws clearly prohibit medical faculty and staff, which include graduate assistants, in a healthcare setting, from having amorous relationships with students over whom they have supervisory responsibilities. A supervisory responsibility is one in which the person in this position teaches, evaluates, tutors, advocates, counsels and/or advises duties performed directly and currently.

This can be either inside the office or outside it, or the clinic or a hospital setting. Amorous relationships have to be avoided, whether the person with a supervisory responsibility is part of the faculty, or is a staff member or a graduate assistant, with respect to a medical, nursing or healthcare professional student.

Definition of tasks carried out by supervisory personnel

The activities that come under the purview of these responsibilities are clear-cut, so that care is taken for avoiding amorous relationships in a healthcare setting. Any of the staff that administers, provides or supervises of all academic, co-curricular or extra- curricular services and activities, opportunities, awards or benefits offered by or through the health entity or its personnel in their official capacity come under the ambit of those who need to be avoiding amorous relationships in a healthcare setting.

The most important reason for which employees who supervise, evaluate or in any other way directly affect the terms and conditions of the employment of their reportees have to avoid amorous relationships in a healthcare setting is that it is prohibited even in cases in which mutual consent is present, or appears to be present.

There are financial reasons for avoiding amorous relationships in a healthcare setting

Avoiding getting into and cultivating an amorous relationship in a healthcare setting is important for a number of reasons. Firstly, it fosters a climate of positivity and healthfulness in the medical practice or clinic or hospital, thus leading to increase in the productivity and morale of the employees.

Beyond this, avoiding amorous relationships in a healthcare setting is also important from a purely financial perspective, as the lawsuit figures from a January 2012 by Jury Verdict Research, Inc. show:

• The costs of jury awards for employment-practice liability cases has been going up consistently from the past nearly couple of decades
• From 1994 to 2000, the overall average jury award in discrimination cases was $150,000
• Sexual harassment complaints increased by nearly one and a half times between 1995 and 1998
• Just about half of all small businesses offer training to their staff on sexual harassment prevention, while three fourths of large companies do.

Learn the nature of the law to avoid amorous relationships in a healthcare setting

To get a clear understanding of the law that relates to avoiding amorous relationships in a healthcare setting and to avoid getting into legal complications, attend a webinar on this topic that is being organized by MentorHealth, a highly popular provider of professional trainings for the healthcare industry.

David Edward Marcinko, Founding Dean of the fiduciary focused CERTIFIED MEDICAL PLANNER® chartered designation education program and Professor and physician executive, will be the speaker at this webinar. To register for this session, please visit

http://www.mentorhealth.com/control/w_product/~product_id=800936/?Wordpress

At this session, David will cover the following areas:

• Consensual Amorous Relationships Defined
• Handling Patient Advances
• Signs of Flirtatious Behavior and Discouragement
• Sexual Harassment Defined
• Preferential Treatment
• Un Reasonable Interference with Performance
• Two-Pronged Test Approach
• Offensive Behavior
• Gender Based Animosity
• Same Sex Harassment
• Employer Liability
• Disciplinary Actions
• Tangible Employment Actions
• Punitive Damages
• Financial and Economic Costs.

Violations of ethical law by psychologists

Violations of ethical law by psychologists are a major topic for the society in general and the healthcare industry in particular because psychologists are a highly trained and skilled workforce in the medical profession. Since mental healthcare practitioners work in today’s diverse, fast-changing, multidisciplinary health care environment; this profession places a vast array of providers before the client seeking mental health services.

Violations of ethical law by psychologists are stated in detail by the American Psychological Association (APA), which formulated and issued the Ethical Principles of Psychologists and Code of Conduct in December 1992. This law sets out rules for professional ethical conduct by psychologists. The terms of violations of ethical law by psychologists are clearly laid out by this set of laws.

Shortly referred to as the Ethics Code; this law consists of six General Principles and several specific ethical standards. The rules laid out in these and other sections of the Ethics Code are enforced by members of the APA, although, given the subjective nature of these violations; a broad interpretation of these laws is called for based on the individual case.

Applies only to the psychologist’s practice

It is important to note that the Ethics Code is applicable purely to psychologists’ work-related activities. In other words, the Ethics Code covers only those activities of psychologists that constitute part of the psychologists’ professional or scientific functions or those that are of a psychological nature.

Some of the activities of the Ethics Code that come under the purview of violations of ethical law by psychologists include:

• Clinical or counseling practice
• Counseling related to education
• Developing assessment tools
• Carrying out assessments
• Administration
• Teaching
• Trainee supervision
• Social intervention
• Research
• Organizational consulting

Why this needs to be mentioned is that all these work-related activities are different from the totally private conduct that a psychologist undertakes. These private interactions and functions are outside the ambit of the Ethics Code, and hence do not come under violations of ethical law by psychologists.

Learn the finer aspects of violations of ethical law by psychologists

A complete understanding of the activities and other related aspects of violations of ethical law by psychologists needs to be made if one is to get a thorough hold of the intent and interpretation of this legislation. All these aspects of violations of ethical law by psychologists will be taken up in detail at a webinar that is being organized by MentorHealth, a highly popular provider of professional trainings for all the areas of regulatory compliance.

At this highly valuable and interesting session, Mark Brengelman, who is Attorney at Law at Hazelrigg and Cox LLP, an established law firm that traces its history to over one hundred years in Frankfort, Kentucky and is the founding presenter for “Navigating Ethics and Law for Mental Health Professionals”, a continuing education training approved by five Kentucky mental health licensure boards; will be the speaker.

To enroll for this lively session and get a complete understanding of how violations of ethical law by psychologists are treated by the APA and the other laws; register by logging on to

http://www.mentorhealth.com/control/w_product/~product_id=800928/?Wordpress

The different tenors of the law on violations of ethical law by psychologists

A few aspects related to violations of ethical law by psychologists need to be taken note of. For instance, a complaint given against a mental health practitioner of her alleged misconduct or ethical shortcomings is received and investigated by a State agency. The implication, spirit and applicability of these laws vary from one State to another, causing considerable confusion to the practitioner faced with having to handle and defend the action the State is bringing against her.

At this session, Mark will show how to navigate issues such as this. Participants will learn the ways of identifying and understanding the most common violations of law against psychologists. This gives the practitioner the opportunity to defend against actions by the State which may mar her career prospects.

This webinar on violations of ethical law by psychologists offers an objective, thorough review of the legal and ethical analysis of state licensure board complaints against psychologists.

The speaker will cover the following areas at this webinar:

• Sources of legal authority for the state to take disciplinary action against psychologists
• Administrative procedures applied to the process of disciplinary actions
• Due process standards for the psychologists
• Defenses to disciplinary action proceedings
• Review of the most common ethical and legal violations committed by psychologists
• Practice tips for successfully handling disciplinary action proceedings.

 

Ransomware and HIPAA risks are now closely hemmed together

Ransomware and HIPAA risks are now inseparable. After a lot of deliberation, ransomware has now become part of HIPAA compliance for Business Associates and Covered Entities that have to show HIPAA compliance. This became official on July 11, 2016, when the HHS issued a new guideline that makes ransomware attacks part of reportable HIPAA breaches.

Although players in the healthcare industry were strident in their thinking that ransomware and HIPAA risks should be kept separate; what precipitated this decision was the finding by the US interagency report, which suggested that in just one year from the middle of 2015, there has been a fourfold increase in the number of ransomware attacks, bringing the number of these attacks on Protected Health Information (PHI) to an alarming 4000 a day.

Ransomware and HIPAA risks have come together primarily for this reason, with the HIPAA’s new guideline seeking to suggest steps that need to be taken by Business Associates and Covered Entities to identify a ransomware attack and report it, thereby preventing the potential loss it causes to PHI.

First, a brief understanding of ransomware

Ransomware can be defined in simple terms as malicious software that is different from other kinds of malware. It differs fundamentally by attempting to deny access to a user’s data at the source. Ransomware hackers encrypt the data with a key that is known only to them, and release it only after a ransom is paid to them by the user. Ransomware and HIPAA risks have come together after the realization by the HHS about the dangers of this kind of malware.

Business Associates and Covered Entities are in for a jolt when HIPAA investigations relating to ransomware breaches find malpractices. It can ruin the said practice or business. If ransomware is detected, HIPAA considers it a serious breach of security. Such an entity is heavily penalized, and its reputation is at stake.

How are ransomware and HIPAA risks associated with each other?

The HHS, which is responsible for HIPAA implementation, has issued the new guidelines about ransomware and HIPAA risks.

These include:

• Taking measures to implement a security management process, of which carrying out a risk analysis that helps identify vulnerabilities and threats to the PHI and implementing steps to mitigate these are a part;
• Putting in place measures that detect and guard against malicious software;
• Helping to protect data by training users on malicious software about identifying and reporting these, and
• Putting in place access controls by which only designated personnel are authorized and permitted access.

These measures on ransomware and HIPAA risks sit along with the existing Security Rule of the HIPAA, which has its own set of steps and rules that need to be taken to protect data privacy.

How do steps for checking ransomware and HIPAA risks need to be implemented?

The important steps needed for checking ransomware and HIPAA risks are suggested above, but one needs professional help in order to implement the right steps for identifying and containing ransomware and HIPAA risks.

The exact ways of doing this will be the content of a webinar that MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, is organizing.

Brian L Tuttle, who is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP) and Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. To understand how to prevent your practice from being hauled up by HIPAA or being sued for class action in the case of a large breach; register for this webinar by visiting

The proven and established means of protecting businesses and practices from ransomware attacks and breaches and from HIPAA actions will be discussed threadbare at this webinar.

An understanding of the risk factors

During the course of this webinar, Brian will also explain what the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures. He will also delve into specific information about multiple incidents, which will help practices and businesses understand what they did wrong that led to a HIPAA risk of ransomware.

Apart from offering an explanation of the variables that need to be considered; Brian will also discuss specific questions the Office of Civil Rights investigators and FBI are likely ask and the ways of giving them the best answer. This very valuable session on ransomware and HIPAA risks will educate participants on the ways of preventing a breach altogether.

Brian will cover the following areas at this webinar:

• What is ransomware?
• What are risk factors?
• What to do if hijacked
• Audit Process
• What can cause an audit
• How to avoid these issues altogether
• What to do in the event of an audit
• How to speak and deal with Federal auditors
• Risk Assessment
• Best resources

Drafting and signing the Electronic Health Record license agreement requires utmost diligence

When drafting and signing the Electronic Health Record (EHR) license agreement; total diligence is of the essence, since the Electronic Health Record license agreement is a vital document, both for physician practices that have just entered the EHR arena, as well as for practices that transition to a new EHR software package.

Important factors to look for in an Electronic Health Record license agreement

An EHR license agreement, the pillar of the relationship between the vendor and the practice; is expensive to buy and maintain. This Electronic Health Record license agreement defines the relationship between the two parties, because of which a lot of careful consideration has to go before entering into and signing one.

A practice that is in the process of entering into an Electronic Health Record license agreement needs to look for at least these three core points: 1. What is it that the practice is buying? 2. What is the nature and scope of the practice’s and the vendor’s duties and responsibilities? 3. The ways of getting out of the contract, i.e., how flexibly can the Electronic Health Record license agreement be terminated?

The Electronic Health Record license agreement has to be clear and should not be ambiguous, leaving scope for varied interpretation of many aspects of the agreement. The Electronic Health Record license agreement needs to have a completely clear definition of these core areas:

1. Scope
2. Support
3. Disclaimers relating to liabilities and warranties
4. Ending of the contract

 

Components that need to go into an Electronic Health Record license agreement

The Electronic Health Record license agreement should ideally state and clear issues such as:

• Whether and how often the vendor may make online portions of the software unavailable for maintenance or other issues
• How many people may use the software and on how many machines the software may be installed, if it has an offline component
• The kind of technical support the vendor will provide
• Whether the vendor will use data entered by the practice for its own purposes, and if yes, under what conditions
• Terms under which the agreement may be terminated, and
• What happens to the practice’s data upon termination

These being the extremely important elements of the Electronic Health Record license agreement; the practice has to be clear about the terms of the agreement and should not be under any pressures that sales people from the vendor’s side may put on them to get the work done quickly. A hurriedly worked out Electronic Health Record license agreement that lacks proper scrutiny and vigilance is bound to land the practice in trouble at some later date.

Other aspects to take into consideration

While signing the Electronic Health Record license agreement; there are other very important factors that the physician practice should take into consideration. These are some of them:

• Does the license agreement require a specific person at the practice as the primary contact with the vendor?
• If so, what happens if that person is out sick or on vacation, or quits or is fired?
• What happens if the software operates as specified, but the physician practice wants to switch to a different vendor’s software?
• Does the license let physician practice terminate at will, or only under certain circumstances?
• What happens to its data after termination and when will it be got back, and in what form?

Sharpen the insightfulness needed for signing an Electronic Health Record license agreement

Given the highly delicate and crucial nature of an Electronic Health Record license agreement; it is extremely important for practices and physicians to be thoroughly acquainted with the workings of Electronic Health Record license agreements. It is to familiarize them with the dynamics of how to draft and sign an Electronic Health Record license agreement that MentorHealth, a highly reputable provider of professional trainings for the healthcare industry, will be organizing a webinar.

Daniel F. Shay, an attorney with Alice G. Gosfield and Associates, P.C., who specializes in health law and health care regulation practice, will be the speaker at this session which will arm participants with the nous needed for getting the right Electronic Health Record license agreement signed and avoiding legal issues. To register for this session, please visit

http://www.mentorhealth.com/control/w_product/~product_id=800921LIVE/?wordpress-SEO

Look at the subtle and intricate aspects of the license agreement

At this session, Shay will proffer and explain the practical considerations that physician practices need to consider when reviewing EHR license agreements. Another of the important topics relating to this topic that will be covered at this session is compliance with Meaningful Use. Shay will offer his expertise on the types of documents that are often incorporated into the license agreement, as well as what physician practices can expect in the negotiation process after the license agreement has been reviewed.

Shay will cover the following areas at this session:

• Common contractual terms in EHR software license agreements
• Grounds for termination of a license
• Common documents incorporated into the license
• Meaningful Use considerations
• Post-termination data control and conversion.

 

Avoiding HIPAA fines and penalties is of paramount importance to entities

Avoiding HIPAA fines and penalties is something a Covered Entity or a Business Associate has to treat as an issue of foremost importance. Something like 120 million individuals were affected by HIPAA breaches in 2015, highlighting the extent to which breaches can happen, and also the extent to which medical records are targeted. It is said that medical records command a higher price today in the black market than social security numbers and credit cards!

In the two decades since the creation of HIPAA, over $ 50 million have been levied as fines or penalties. This is why Covered Entities and Business Associates need to do everything they can towards avoiding HIPAA fines and penalties. The government is very serious about protecting healthcare records. It has repeatedly nudged the HHS to take the increased incidence of cyberattacks resulting in medical records theft very seriously and increase vigilance.

The HHS is hell bent upon enforcing HIPAA requirements

Phase 2 HIPAA audits are now underway, underscoring the need for the increased need for Covered Entities and Business Associates to devise ways of avoiding HIPAA fines and penalties. The basis to avoiding HIPAA fines and penalties is to get a clear and thorough understanding of HIPAA compliance requirements expected of a healthcare provider.

Why avoiding HIPAA fines and penalties rests on a clear understanding of how to put policies and procedures in place to ensure HIPAA compliance is that HIPAA compliance goes hand in hand with providing the appropriate patient rights and controls on its uses and disclosures of PHI.

Two aspects come into play if an organization that is being audited or is the subject of a compliance review has to avoid HIPAA fines and penalties. The first of these is to demonstrate to the HHS that it has the ability to demonstrate the way by which it addresses all of the required security safeguards. Two, the organization has to also have the documentation of the proper policies and procedures necessary for safeguarding patient PHI if it has to avoid HIPAA fines and penalties.

Get to understand the dynamics of HIPAA compliance for avoiding HIPAA fines and penalties

Avoiding HIPAA fines and penalties is not something that happens by chance. An organization cannot shoot in the dark and hope to get its HIPAA compliance right. If Covered Entities and Business Associates have to get their HIPAA implementation right; they need professional guidance on how to accomplish this. Given the cost of noncompliance; avoiding HIPAA fines and penalties is something all organizations have to strive to aim for.

How do they do it? This is the learning a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry, will be offering. Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be the speaker at this highly valuable webinar on avoiding HIPAA fines and penalties. In order to learn how to avoid HIPAA fines and penalties and to benefit from the vast experience at HIPAA compliance that the speaker carries; please enroll for this webinar by visiting http://www.mentorhealth.com/control/w_product/~product_id=800900LIVE/?Wordpress-SEO

An explanation of what to do in order to avoid HIPAA fines and penalties

At this session, Jay will show how an organization can aim at avoiding HIPAA fines and penalties by just being compliant with the HIPAA requirements. He will show how a Business Associate or Covered Entity can provide the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI) and what all it has to have in place for doing so.

The way an organization that is the subject of a compliance review or is being audited needs to show to the HHS both the documentation necessary for safeguarding patient PHI, as well as the ability to show how it is addressing all of the required security safeguards if it has to avoid HIPAA fines and penalties will be explained at this webinar.

At this session, Jay will cover the following areas:

• Why was HIPAA created?
• Who Must Comply with HIPAA Requirements?
• What are the HIPAA Rules?
• Who Enforces HIPAA?
• Enforcement Case Examples
• Learning from Other’s Mistakes
• What are the penalties and fines for non-compliance and how to avoid them?
• Being Prepared for a HIPAA Audit or Investigation
• Questions

 

 

 

Section 1557 of the Affordable Care Act

Section 1557 of the Affordable Care Act (ACA) is an important section of the Affordable Care Act passed by President Barack Obama in 2010. Sex, race, age, color, national origin or disability cannot be a reason for exclusion of individuals under some of the provisions of this Act. It is built on the foundation laid in the other landmark federal civil rights laws, such as:

• Title VI of the Civil Rights Act of 1964
• Title IX of the Education Amendments of 1972
• Section 504 of the Rehabilitation Act of 1973
• The Age Discrimination Act of 1975

A Final Rule implementing Section 1557 of the Affordable Care Act was issued by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) on May 18, 2016, as a result of which, on July 18, 2016, the Final Rule became effective.

Legal amendments to Section 1557 of the Affordable Care Act

Section 1557 of the Affordable Care Act underwent a small amendment when the U.S. District Court for the Northern District of Texas issued an opinion in the case of “Franciscan Alliance, Inc. et al vs Burwell” on the last day of 2016. This opinion by the court, concerns Section 1557 of the Affordable Care Act’s section relating to prohibition of discrimination in two areas: gender identity and termination of pregnancy on a national scale. As a result of this legal opinion, the OCR will not enforce these two provisions of Section 1557 of the Affordable Care Act for as long as this injunction is valid. It will enforce the remaining provisions relating to other areas of discrimination.

Entities and individuals that come under the purview of Section 1557 of the Affordable Care Act

Section 1557 of the Affordable Care Act specifies the categories of individuals or entities that are protected from discrimination. Section 1557 of the Affordable Care Act protects from discrimination any individual or entity that participates in any of these:

1. A healthcare program or activity that is paid for in part or administered by the HHS, and
2. Federally facilitated and state-based health insurance marketplaces, which are collectively called Covered Entities.

Section 1557 of the Affordable Care Act empowers individuals to file a complaint with the OCR if the person feels that she has been subject to discrimination on the basis of any of the provisions provided for by the Act.

This said, the individual needs to know the complete nature of the law in order to assess if there is a strong case under Section 1557 of the Affordable Care Act. This calls for a proper and thorough understanding of Section 1557 of the Affordable Care Act.

Get to thoroughly understand the discrimination provisions of Section 1557 of the Affordable Care Act

A complete understanding of the discrimination provisions of this Act will be the subject of a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry.

William Mack Copeland, who practices health care law in Cincinnati at the firm of Copeland Law, LLC, and is president of Executive & Managerial Development Group; will be the speaker at this highly informative session. To derive the benefit of William’s long experience in healthcare law; enroll for this webinar by visiting http://www.mentorhealth.com/control/w_product/~product_id=800929LIVE?LinkedIn-SEO

How the provisions of Section 1557 of the Affordable Care Act work

At this webinar, William will explain the provisions of Section 1557 of the Affordable Care Act and equip the participants with an understanding of the discrimination provisions of the ACA. Management employees of a healthcare entity will gain a better understanding of how and why the process works and how it impacts healthcare entities. William will also offer an explanation of what can be and cannot be done.

Further, he will offer an explanation of the ways of protecting oneself and the organization from potentially devastating legal challenges. Knowledge of how to meet the requirements of the ACA to avoid sanction under Section 1557 of the Affordable Care Act will be another learning to be gained at this webinar.

More importantly, this webinar will arm participants with an understanding of how to deal with the regulations and ensure that they do not end up violating the discrimination requirements of Section 1557 of the Affordable Care Act. The speaker will also help participants put a viable ACA compliance program that complies with Section 1557 of the Affordable Care Act in place.

This session will cover the following areas:

• A description of Section 1557
• The notable provisions of Section 1557
• Who must comply with provisions of Section 1557
• Requirements for individuals with limited English proficiency (LEP)
• Examples of Race, Color , National Origin, Sex, Age or Disability Discrimination
• Auxiliary Aids and Services
• Health-related insurance or other health-related coverage
• Exceptions
• Enforcement

Understanding HIPAA compliance is the basis to be legally tenable

Understanding HIPAA compliance requirements is the foundation to meeting the legal requirements required of a healthcare provider. Understanding HIPAA compliance involves being knowledgeable about the proper policies and procedures in place, because being in compliance with HIPAA is as important as providing the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI).

So, any organization that is being audited or is the subject of a compliance review has to show to the government that it not only has the wherewithal to demonstrate how it is addressing all of the required security safeguards; but also has the documentation necessary for safeguarding patient PHI.

A good grasp of the fundamentals is called for

Understanding HIPAA compliance requirements is needed to get a good grasp of the fundamentals of what is needed for protecting PHI is necessary for a healthcare practice, business or organization. A good grasp of the fundamentals of HIPAA compliance requirements is called for if an entity has to ensure that the safeguards it currently has are good enough to withstand government scrutiny. The palpable rise in the number of HIPAA data breaches is another solid reason for which a thorough understanding of HIPAA compliance is called for. Understanding HIPAA compliance requirements is necessary for knowing which requirements need to be met if the entity has to safeguard PHI.

To facilitate a good understanding of HIPAA compliance requirements, MentorHealth, a leading provider of professional trainings for the healthcare industry, will be organizing a webinar which will highlight these aspects. Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be the speaker at this webinar. Please visit http://www.mentorhealth.com/control/w_product/~product_id=800898LIVE/~sel=LIVE/~Jay_Hodes/~HIPAA_Compliance_-_What_You_Need_to_Know to enroll for this session.

At this webinar, which will give participants an understanding HIPAA compliance, Jay will break down the complexities of HIPAA compliance requirements in a simple and easy to understand method. The participants of this webinar will get clear knowledge of all the requirements for a comprehensive HIPAA compliance program and what steps they need to take in order to mitigate risk.

Jay will cover the following areas at this discussion:

• Why was HIPAA created?
• Who Must Comply with HIPAA Requirements?
• What are the HIPAA Security and Privacy Rules?
• What is a HIPAA Risk Management Plan?
• What is meant by “Required” and “Addressable” Implementation Specifications?
• What are Administrative, Technical, and Physical Safeguards Requirements?
• What is a HIPAA Risk Assessment?
• What are HIPAA training requirements?
• What is a HIPAA data breach and what happens if it occurs?
• What are the penalties and fines for non-compliance and how to avoid them?
• Creating a Culture of Compliance
• Questions

 

HIPAA and suing need to be understood fully when contemplating action

HIPAA and suing are two important elements closely related to each other. When HIPAA and suing are discussed, what needs to be borne in mind is that an individual cannot sue HIPAA. Yes, you are reading it right. An individual cannot sue a Covered Entity or Business Associate for violation of privacy of medical records. So, does this mean that HIPAA is empowered with carte blanche powers to do what it likes with your medical records?

No. What has just been stated is that an individual cannot sue HIPAA itself, but can seek legal remedy when she believes that there has been an unlawful violation of her someone else’s privacy rights relating to her health information, or a breach of Privacy, Security, or Breach Notification Rules, by filing a complaint with the Office of Civil Rights (OCR) under State law.

Who can be sued?

HIPAA is clear about who can be sued for healthcare information privacy violations. An individual can seek legal action against a Covered Entity –consisting of any of these – health plans themselves, healthcare clearinghouses, or healthcare providers that use the electronic medium to carry out many of their transactions –or any of their Business Associates.

Provisions related to suing under HIPAA need to be fully understood before proceeding legally. Since HIPAA and suing is a legal matter, it needs to be completely understood if an individual is contemplating suing under HIPAA.

A webinar from MentorHealth on HIPAA and suing

All the major aspects of HIPAA and suing will be the topic of a webinar that MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, will be organizing. Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be explaining all the important areas relating to HIPAA and suing.

To understand the core elements of HIPAA and suing, enroll for this important webinar by visiting

http://www.mentorhealth.com/control/w_product/~product_id=800905LIVE/~sel=LIVE/~Brian_Tuttle/~HIPAA_and_Suing_-_Trial_Attorneys_Are_More_Dangerous_Than_The_Federal_Government.

At this session, Brian will attempt to clear the major issues relating to HIPAA and suing and will give participants an understanding of the factors that could invite a letter or a visit by the Office of Civil Rights and ways of dealing with it.

In the course of explaining the ingredients relating to HIPAA and suing; Brian will cover the following areas:

• Updates for Omnibus
• Patients suing – how does this work
• Fines from HHS
• Audit process
• Real life audits and litigated cases
• New patient legal remedies and how to lower risks
• State laws and patient remedies
• Portable devices
• Emailing and texting
• Business associates and the increased burden
• Breach notification
• Risk factors for being sued or audited

 

 

 

Key Compliance Considerations for Healthcare Providers in the OIG’s 2017 Work Plan

The Office of Inspector General (OIG) has oversight of protection of the integrity of Health and Human Services (HHS) programs and operations. The aim of this function is to ensure the wellbeing of American people who benefit from these programs. The OIG seeks to prevent fraud, abuse and waste, identify ways of improving the cost, efficiency and effectiveness of its programs, and to bring to book those who do not comply with its requirements.

Towards ensuring these, the OIG issues its annual Work Plans. These set out the details of the projects that the Office of Audit Services, Office of Evaluation and Inspections, Office of Investigations, and Office of Counsel to the Inspector General address during a fiscal year. Each year’s Work Plan details the projects the OIG has planned in each of the above mentioned Offices’ entities. The Work Plans offer details of information relating to a host of issues about the departments with which the OIG works or coordinates.

The OIG requires compliance and management of enterprise risk by health care organizations and providers that develop and plan their annual compliance audit priorities. They should make sure that their compliance program activities, audits and policies are consistent with the OIG’s annual Work Plan.

What is coming up for Fiscal Year 2017 HHS OIG Work Plan?

A detailed explanation of the OIG’s Fiscal Year 2017 Work Plan will be offered at a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Joseph Wolfe, who is an attorney with Hall, Render, Killian, Heath & Lyman, P.C., the largest health care focused law firm in the country, will be the speaker at this webinar.

Want to know what needs to be understood by those who need to be compliant with the Fiscal Year 2017 HHS OIG Work Plan? Just enroll for this webinar by visiting http://www.mentorhealth.com/control/w_product/~product_id=800932LIVE/~sel=LIVE/~Joseph_Wolfe/~Untangling_the_OIG’s_2017_Work_Plan:_Key_Compliance_Considerations_for_Health_Care_Providers.

At this webinar, Joseph will focus on an overview of the Work Plan, including the new and ongoing audit areas that the OIG plans to focus on during 2017. This discussion will be of immense value to healthcare professionals such as in-house counsel, healthcare executives, health care Human Resources, and healthcare CFO’s.

He will cover the following areas at this webinar:

• Provide a general overview of the 2017 OIG Work Plan
• Summarize ongoing reviews and activities the OIG plans to pursue
• Discuss significant new risk areas that the OIG plans to focus on
• Identify potential action steps that health care organizations and providers can take to manage compliance risk.