Entities should do everything it takes to avoid HIPAA fines and penalties

The fact of about 120 million individuals being affected by HIPAA breaches in 2015 highlights two important points:

1. There is a mad demand for these records in the black market, which is why they are being targeted to this extent. Any wonder that PHI is in greater demand in the black market than even social security and credit cards?
2. There is an acute need for Covered Entities and Business Associates to take all the steps at their command to avoid HIPAA fines and penalties.

The federal government, on its part, is extremely vigilant about protecting healthcare records. It has been consistently exhorting the HHS to take a fresh look at the increased incidence of cyberattacks that has resulted in medical records theft.

Phase 2 of HIPAA audits is very stringent

With the OCR’s harsher Phase 2 HIPAA audits now underway, there has been a heightened need for Covered Entities and Business Associates to devise ways of avoiding HIPAA fines and penalties. This is not to suggest that Covered Entities and Business Associates need to panic. It is just that they need to get a clear and thorough understanding of HIPAA compliance requirements expected of a healthcare provider if they have to avoid HIPAA fines and penalties.

Further, a thorough understanding of HIPAA compliance requirements is necessary to also meet another core HIPAA requirement: Providing the appropriate patient rights and controls on HIPAA’s uses and disclosures of PHI.

The HHS expects an organization that is being audited or is the subject of a compliance review to demonstrate two points if it has to avoid HIPAA fines and penalties: a) the way by which it addresses all of the required security safeguards, and b) documentation of the proper policies and procedures necessary for safeguarding patient PHI.

These facts show that it is extremely crucial for organizations to avoid HIPAA fines and penalties, given the astronomical cost of noncompliance.

A valuable learning on how to avoid HIPAA fines and penalties

A thorough learning on what Covered Entities and Business Associates need to do to get their HIPAA implementation right will be imparted at a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. At this webinar, Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be the speaker. Just visit to gain complete understanding that Jay will impart about ways of avoiding HIPAA fines and penalties. This course is approved for 1.5 general credits from the Nevada Board Of Continuing Legal Education.

Clarity on how to avoid HIPAA fines and penalties

Jay will highlight the importance of being compliant with the HIPAA requirements for an organization if it has to avoid HIPAA fines and penalties. The ways by which a Business Associate or Covered Entity can provide the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI) and what all it has to have in place for doing so, will all be explained.

He will explain the core areas for an organization that is the subject of a compliance review or is being audited towards avoiding HIPAA fines and penalties: How it needs to show to the HHS both the documentation necessary for safeguarding patient PHI, as well as the ability to show how it is addressing all of the required security safeguards.

The following areas will be covered at this session:

• Why was HIPAA created?
• Who Must Comply with HIPAA Requirements?
• What Privacy Requirements must be in place?
• What are the HIPAA Security and Privacy Rules?
• What is a HIPAA Risk Management Plan?
• What is meant by “Required” and “Addressable” Implementation Specifications?
• What are Administrative, Technical, and Physical Safeguards Requirements?
• What is a HIPAA Risk Assessment?
• What are HIPAA training requirements?
• What is a HIPAA data breach and what happens if it occurs?
• What are the penalties and fines for non-compliance and how to avoid them?
• HIPAA Breaches -Case Examples
• Questions

 

The nuances of creating a care transitions program based on predicted readmission risk

Those who plan to start a care transitions or care coordination program need to be aware of the challenges that go into doing this successfully. In developing a Care Transitions Program; they should know how to utilize the performance improvement processes and analytics, and also know how to put all these together for optimal benefit. They should know what needs to be measured and how to demonstrate outcomes.

Without proper knowledge of these vital aspects, a care transition or care coordinator program founder could be up against many obstacles. The dynamics of these programs and the ways of handling them in order to leverage technology for better outcomes will be the objective of a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry.

A thorough and well-structured session on a care transitions program

At this session, the speaker, Sherrill Rhodes, a senior nurse who serves as the Accreditation Specialist at the Malcolm Baldrige Awardee Baptist Hospital in Pensacola and brings over 30 years of nursing experience and 14 years in Quality Leadership, will explain these issues.

To understand the nitty-gritty of managing a care transition or care coordination program successfully without hiccups; please register for this session

Based on extensive research

This webinar familiarizes those starting up a care transitions or care coordination program with the challenges this profession provides. It will teach them what needs to be measured to ensure desired outcomes.

The content of the learning for this webinar will be based the findings of a comprehensive transition program a 402-bed regional medical system has developed to identify and guide patients from acute care through comprehensive discharge planning and community care. This program identified key areas using transition nurses to proactively manage patients with a high risk of readmission, by which hospital readmissions were reduced.

The modified LACE (Length of stay, Acute admission, Co-morbidities and ER visits) tool the transition program used to identify patients at risk for discharge delays and/or readmissions and analytics to evaluate target populations was a major reason for its success. Various parameters went into these analytics, the end result of which was the attainment of goals such as improved patient experience, promotion of health and wellness in the community and reduction in readmissions.

Extensive use of analytics

At this webinar, Sherrill will explain the findings of this research, which used analytics to help the researchers correlate the patient risk of readmission with the actual observed readmission rate, the total cost of readmission encounters, and the clinical drivers of readmissions.

Analytics were also used for providing a financial model that calculates the overall impact of readmission rate reductions on reimbursement, cost, and value based purchasing payments. The program targeted populations that required a 30-day readmission for any cause and followed specific clinical populations of AMI, Heart Failure, Pneumonia, Hip/Knee Replacement, Stroke, COPD, and Sepsis.

Assigning LACE scores

Using analytics, the researchers assigned a LACE score of 13-16 to identify intense resources or a readmission is likely to occur. They also took community resources such as medication assistance, transportation vouchers, self-monitoring equipment and home care navigators into consideration for assisting in maintaining home placement for these patients. Unfunded patients get supplies of medications, equipment, etc. through community resources. These were aligned to the grading system, by which patients with scores above 8 receive a 3 -7 day follow-up, and patients with a score above 12 receive a full 30 days of follow-up.

The main goals of this research was to bring about improvement in the patient experience, promoting health and wellness in the community and reducing readmissions. That collaboration between acute care and the community resources has proven beneficial to all involved has been established beyond doubt. As a follow-up to these objectives, the researchers are involved in understanding and monitoring their readmission trends.

This webinar will discuss this program in greater length. It will be of value to Quality Directors, Nurse Leaders, Senior Data Analysis, Case Managers, Community Navigators, Care Coordinators, Physicians, and Physician Office Staff.

 

Overcoming the pain of HIPAA enforcement

In many years that it has been in existence, one of the noticeable changes that HIPAA has undergone is in its attitude. The earlier phase of advice and counseling has now given way to hardboiled and unforgiving enforcement. The Office of Civil Rights (OCR) no longer uses the cajoling and persuasive method. It wants to impose super harsh penalties on healthcare organizations which violate its rules.

For starters, healthcare organizations have to reckon with new, ominously higher fines, which include mandatory minimum fines of the order of $10,000 for those who are willfully neglectful in their compliance. This is in tune with its decision to raise the importance of HIPAA enforcement through audits. Simply no entity that comes under the scanner of the OCR and is required to carry out a HIPAA audit can afford to relax. Their turn for audit or compliance review can come up anytime.

If with all these changes into HIPAA; an entity that is subject to HIPAA compliance, such as a Covered Entity or its Business Associate and related entities do not take the necessary steps to protect their patients’ rights and health information in accordance with what is required under the HIPAA Privacy, Security, and Breach Notification Rules; they have to face the prospect of being slapped with heavy penalties, which, as mentioned above, start at $10,000 in cases of willful neglect. Covered Entities and Business Associates have to implement the privacy requirements, have to provide good information security, and be in overall compliance.

Learn from the guru of HIPAA compliance

How do Covered Entities and Business Associates and all those that are connected with HIPAA enforcement activity attain compliance? The text in HIPAA is confounding to many professionals. Many words are complex and ambiguous, making its comprehension and interpretation difficult.

It is to help those associated closely with HIPAA enforcement, such as Compliance Directors, CEO, CFO, Privacy Officers, Security Officers, HIPAA Officers, Chief Information Officers, Health Information Managers, Healthcare Counsel/lawyers and Office Managers that MentorHealth, a highly regarded provider of professional trainings for the healthcare industry, will be organizing a learning session.

At this webinar, senior HIPAA compliance professional, Jim Sheldon Dean, who is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm, which he founded in 1982, will give a complete roundup of HIPAA enforcement and the ways in which the provisions of this legislation need to be complied with. The aim of this webinar is to help participants overcome the difficulties and complexities associated with HIPAA compliance. To enroll for this highly valuable learning session, please visit

http://www.mentorhealth.com/control/w_product/~product_id=801012?/Wordpress-SEO

A complete learning session on all the aspects of HIPAA enforcement

Jim will explain the HIPAA enforcement actions that have taken place, which will help participants to understand why the enforcement took place. It will also help them analyze what could have been done to prevent the incident that led to the enforcement. He will help them assess the unmet requirements and make them understand what they need to do to ensure that the proper policies, procedures, training, and documentation of their application are in place, so that they can prevent problems and limit the organization’s exposure in incidents.

This kind of learning is vital when one takes a look at the kind of violations that HIPAA has zeroed in on. Which Covered Entity or Business Associate, would have thought that seemingly mundane and harmless actions as returning copiers to the leasing company without removing the PHI on the hard drive, moving offices without accounting for hard drives stored in a closet, or improperly disposing of printed materials could invite penal actions from HIPAA?

With proper guidance, actions such as these or others that invite penalties from the OCR can be undertaken. Jim will seek to provide learning on these aspects to the participants of this webinar. He will cover the following areas at this session:

• The HIPAA Privacy, Security, and Breach Notification regulations (and the recent changes to them) and how their compliance will be evaluated in enforcement circumstances
• Recent changes to the HIPAA enforcement regulations that increase fines and create new penalty levels, including new penalties for willful neglect of compliance that begin at $10,000
• The information and documentation that needs to be prepared in advance so that you can be ready for an enforcement review or an audit without notice
• The results of prior HHS enforcement actions and audits (and their penalties), including recent actions involving multi-million dollar fines and settlements
• Questions asked in prior audits and enforcement reviews
• Identification of weaknesses in organizational compliance
• Future threats to the security of patient information
• The importance of a good compliance process to help you stay compliant more easily.

HIPAA implementation should be grasped from an insider’s perspective

Carrying out HIPAA implementation is something a Covered Entity or a Business Associate has no choice about. To carry out this mandatory activity, the most important requirement is getting a proper grasp of how to carry out HIPAA audits. As is known in the industry circles, carrying out HIPAA audits is a big task for even the most seasoned professional in the healthcare industry.

The main reason for which Covered Entities and Business Associates consider HIPAA implementation difficult is because of the nature of HIPAA audits. HIPAA contains words that are subjective and confusing. So, getting a grasp of the nuances and subtexts and their intended meanings is very essential for a Covered Entity and a Business Associate in order to get their HIPAA implementation right.

Varied kinds of penalties

When one takes a look at the kind of penalties imposed already in 2017; the need for understanding how to get HIPAA implementation right becomes all the more acute. As recently as in the last week of April 2017, the OCR announced a HIPAA settlement of the order of $ 2.5 million on CardioNet, a Pennsylvania-based provider of remote mobile monitoring and rapid response to patients with cardiac issues.

Its fault: it did not take sufficient care to prevent an employee’s laptop, which contained the health records of nearly 1400 patients, from getting stolen. The investigation by OCR concluded that CardioNet had not carried out Risk Analysis properly and had not put the right risk management processes in place at the time the theft took place. This is just one instance of an entity not taking the required steps for HIPAA implementation. There are many others that have attracted similar and even higher penalties for a variety of reasons.

OCR has been tightening HIPAA implementation audits

All these apart, the allocation in the federal budget for the office of civil rights has gone up by 10 percent for 2017 over the previous year. What does this mean? It makes the OCR’s scrutiny and vigilance of Covered Entities and Business Associates even tighter than it was before, since the OCR has announced that it will be using these extra resources to improve and streamline the tools they use for vigilance and to also adapt newer, more advanced technologies into healthcare IT infrastructure.

All these actions are the result of the reinvigorated Phase 2 HIPAA audits, which the OCR started in March 2016.

Get trained on how to get HIPAA implementation right

A look at all these cases makes it clear that it is absolutely necessary for Covered Entities and Business Associates, as well as all those involved in one or another way with HIPAA audits, such as Practice Managers, Business Associates who work with medical practices or hospitals (namely billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc.), and MD’s, and other medical professionals, to get all the aspects of their HIPAA implementation completely right.

The in-depth knowledge needed for understanding and getting HIPAA audits right is the learning outcome of a webinar from MentorHealth, a leading provider of professional trainings for the healthcare industry. Brian L Tuttle, a senior Compliance Consultant & IT Manager at InGauge Healthcare Solutions, will be the speaker at this webinar, to enroll for which, all that is needed is to visit

https://www.mentorhealth.com/control/w_product/~product_id=801002?/Wordpress_SEO

As someone who has been on both sides of the audits, Brian will explain the way real life audits are conducted by the federal government for phase 2 and beyond. He will explain just what the highest risk factors for non-implementation are, some of which may even cause people to chuckle. He will explain what practice or business managers or compliance officers need to do if they have to get their HIPAA audits right. Also taken up will be the major changes under the Omnibus Rule and any other applicable updates for 2017.

Brian will mainly seek to clear the misconceptions and myths about this often misunderstood law. He will teach participants the way to put a HIPAA compliance program in place. He will also explain the dos and don’ts of HIPAA Omnibus, among many other issues related to this topic.

The following areas will be covered at this session:

• Updates for 2017
• Requirements of Compliance Officers
• Audit Process
• What can cause an audit
• How to avoid audit
• What to do in the event of an audit
• How to speak and deal with Federal auditors
• Risk Assessment
• Best resources

 

Patient rights to access to their medical records under HIPAA

Patient rights to access to their medical records are a major part of HIPAA. One of the highlights of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which was created to ensure continuity in the health insurance protection of employees who lose jobs or are in the process of changing them, is the ease of access it gives to patients of their health information.

The rationale for allowing patient rights to access to their medical records under HIPAA is that it should help them manage their conditions better. They can carry out or contribute to a number of useful activities such as:

• Being able to better monitor their present or past chronic conditions
• Complying with the treatment courses and plans being carried out
• Detecting and correcting inaccuracies and blunders in their health records
• Being able to monitor the progress they make in disease or wellness management programs
• Being able to directly contribute to health research by sharing their health information with genuine users.

To empower patients

The HHS believes that the idea of equipping patients with rights to access their medical records under the HIPAA is to place them “in the driver’s seat” and make the whole health system patient-friendly. Another rationale for giving patients rights to access their medical records under HIPAA is that it wants patients to fully utilize the technologies that have gone into the healthcare records system.

At the heart of patient rights to access to their medical records under HIPAA is the ability given to patients to obtain a copy of their medical information. This right sits at the core of an assortment of rights given to patients to access their medical records under HIPAA. This is the General Right given to patients that requires Covered Entities and to hand over a copy, upon request, of the patient’s Protected Health Information (PHI) in one or more “designated record sets” maintained by the Covered Entity or a Business Associate on its behalf.

Unfettered General Right

Patient rights to access to their medical records under HIPAA requires the Covered Entity or Business Associate to provide PHI to the patient, when requested, irrespective of when the record was created, the form of the record, viz., electronic or paper, and the source of the record, i.e., the patient, the Covered Entity, or another provider.

The whole aspect of patient rights to access to their medical records under HIPAA needs to be fully grasped if the healthcare provider has to avoid causing a breach. A breach, as we know, is taken very seriously by the HHS. It attracts heavy penalties. It is not just advisable, but mandatory for them to have complete knowledge of patient rights to access to their medical records under HIPAA.

A thorough learning on patient rights to access to their medical records under HIPAA

The ways of understanding and ensuring patient rights to access to their medical records under HIPAA will be the topic of a webinar that is being organized by MentorHealth, a provider of professional trainings for the healthcare industry. This webinar will have Jay Hodes, president of Colington Security Consulting, LLC, which provides HIPAA consulting services for healthcare providers and Business Associates, as speaker.

Registering for this webinar at http://www.mentorhealth.com/control/w_product/~product_id=800901/?Wordpress

will give a proper understanding of patient rights to access to their medical records under HIPAA. Jay will give a proper grasp of patient rights to access to their medical records under the Privacy Rule of the HIPAA. This thorough information is very vital for organizations whose job entails maintaining, creating, transmitting or storing PHI.

At this session, Jay Hodes will cover the following areas:

• Why was HIPAA created?
• Who Must Comply with HIPAA Requirements?
• What is the HIPAA Privacy Rule?
• What is Protected Health Information?
• What are Permitted and Authorized Disclosures?
• What are Rights do Patients have under HIPAA?
• What is a HIPAA data breach and what happens if it occurs?
• What are the penalties and fines for non-compliance and how to avoid them?

Violations of ethical law by psychologists

Violations of ethical law by psychologists are a major topic for the society in general and the healthcare industry in particular because psychologists are a highly trained and skilled workforce in the medical profession. Since mental healthcare practitioners work in today’s diverse, fast-changing, multidisciplinary health care environment; this profession places a vast array of providers before the client seeking mental health services.

Violations of ethical law by psychologists are stated in detail by the American Psychological Association (APA), which formulated and issued the Ethical Principles of Psychologists and Code of Conduct in December 1992. This law sets out rules for professional ethical conduct by psychologists. The terms of violations of ethical law by psychologists are clearly laid out by this set of laws.

Shortly referred to as the Ethics Code; this law consists of six General Principles and several specific ethical standards. The rules laid out in these and other sections of the Ethics Code are enforced by members of the APA, although, given the subjective nature of these violations; a broad interpretation of these laws is called for based on the individual case.

Applies only to the psychologist’s practice

It is important to note that the Ethics Code is applicable purely to psychologists’ work-related activities. In other words, the Ethics Code covers only those activities of psychologists that constitute part of the psychologists’ professional or scientific functions or those that are of a psychological nature.

Some of the activities of the Ethics Code that come under the purview of violations of ethical law by psychologists include:

• Clinical or counseling practice
• Counseling related to education
• Developing assessment tools
• Carrying out assessments
• Administration
• Teaching
• Trainee supervision
• Social intervention
• Research
• Organizational consulting

Why this needs to be mentioned is that all these work-related activities are different from the totally private conduct that a psychologist undertakes. These private interactions and functions are outside the ambit of the Ethics Code, and hence do not come under violations of ethical law by psychologists.

Learn the finer aspects of violations of ethical law by psychologists

A complete understanding of the activities and other related aspects of violations of ethical law by psychologists needs to be made if one is to get a thorough hold of the intent and interpretation of this legislation. All these aspects of violations of ethical law by psychologists will be taken up in detail at a webinar that is being organized by MentorHealth, a highly popular provider of professional trainings for all the areas of regulatory compliance.

At this highly valuable and interesting session, Mark Brengelman, who is Attorney at Law at Hazelrigg and Cox LLP, an established law firm that traces its history to over one hundred years in Frankfort, Kentucky and is the founding presenter for “Navigating Ethics and Law for Mental Health Professionals”, a continuing education training approved by five Kentucky mental health licensure boards; will be the speaker.

To enroll for this lively session and get a complete understanding of how violations of ethical law by psychologists are treated by the APA and the other laws; register by logging on to

http://www.mentorhealth.com/control/w_product/~product_id=800928/?Wordpress

The different tenors of the law on violations of ethical law by psychologists

A few aspects related to violations of ethical law by psychologists need to be taken note of. For instance, a complaint given against a mental health practitioner of her alleged misconduct or ethical shortcomings is received and investigated by a State agency. The implication, spirit and applicability of these laws vary from one State to another, causing considerable confusion to the practitioner faced with having to handle and defend the action the State is bringing against her.

At this session, Mark will show how to navigate issues such as this. Participants will learn the ways of identifying and understanding the most common violations of law against psychologists. This gives the practitioner the opportunity to defend against actions by the State which may mar her career prospects.

This webinar on violations of ethical law by psychologists offers an objective, thorough review of the legal and ethical analysis of state licensure board complaints against psychologists.

The speaker will cover the following areas at this webinar:

• Sources of legal authority for the state to take disciplinary action against psychologists
• Administrative procedures applied to the process of disciplinary actions
• Due process standards for the psychologists
• Defenses to disciplinary action proceedings
• Review of the most common ethical and legal violations committed by psychologists
• Practice tips for successfully handling disciplinary action proceedings.

 

Physician Practice acquisitions under the new 2016 Stark Rules

Physician practice acquisitions have seen a humungous rise in the past few years, since the passage of the Affordable Care Act (ACA). A few factors have fueled physician practice acquisitions. Some of these are:

• Physician practice acquisitions offer healthcare providers more clinical consolidation and integration, as they help to align the business prospects of the referral networks to the hospital’s strategic goals.

• Declining reimbursement rates, at least for a few specialties, continue to decline, affecting the overall physician compensation. When physicians come under the protection of a bigger hospital brand, they have a little extra leeway in negotiating contract rates. Being under the aegis of a bigger, better branded hospital also ensures them the prospects of having a regular monthly pay, something that is almost impossible in private practice

• A few recent amendments to the Medicare and Medicaid reimbursement systems have been propelling providers towards bundled and integrated payments, which is something that hospitals with more physician practice acquisitions find favorable

• Physician practice acquisitions also help physicians across different age groups. Older physicians with several years of experience may see physician practice acquisitions as a means for augmenting and assuring an income stream, while younger physicians have the opportunity of getting a more favorable schedule, which can bring about greater work life balance.

While all these factors about physician practice acquisitions are very concrete ones that are playing out a major impact on the healthcare sector; physician practice acquisitions have to be negotiated. They are not something that is delivered on a plate to consume at one’s will, in the form supplied. A few major legislative and regulatory issues need to be taken into consideration while negotiating and signing physician practice acquisitions.

The Stark Law is a major component of physician practice acquisitions

The Stark Law, which governs a major aspect of healthcare practice, is a major one among these. Stark Law, legally referred to as The Physician Anti-Referral Law (known as Stark II), is a very important law concerning physician referrals. Any healthcare provider which files claims has to comply with the provisions of the Stark rules. Enforcement action ensues from lack of compliance.

Aimed at eliminating malpractices in the healthcare sector; the Stark Law is implemented in stages known as Stark II and Stark III. The Stark Laws classify particular physician actions as unlawful. This law underwent a few changes in 2016, which need to be taken into consideration while negotiating and signing physician practice acquisitions.

The recent substantial awards and settlements arising out of Stark Law enforcement actions have increased the need for complete compliance with the Stark Laws. From a number of important perspectives, more and more medical groups, hospitals, and health systems are moving towards integration and phasing out to more innovative hospital-physician arrangements. This makes it imperative for those who undertake physician practice acquisitions to put in place compensation arrangements that are defensible under the Stark Law.

Get to understand the heart of physician practice acquisitions under the Stark Law

What are the contents and the interpretations of the Stark Law that physician practices need to carefully analyze and scrutinize when dealing with physician practice acquisitions? The finer aspects of this law, along with other major legal considerations that need to go into physician practice acquisitions, will be the topic of a webinar that is being organized by MentorHealth, a highly valued provider of professional trainings for the healthcare industry.

At this webinar on physician practice acquisitions, Joseph Wolfe, an attorney with Hall, Render, Killian, Heath & Lyman, P.C., the largest health care focused law firm in the country; will offer guidance on physician practice acquisitions keeping compliance with the provisions of the Stark Law in mind. To enroll for this webinar, just log on to

http://www.mentorhealth.com/control/w_product/~product_id=800915/?WordPress

Wolfe will provide an overview of the Stark Law, including its 2016 changes. He will also explain best practices for negotiating and drafting physician practice acquisition arrangements on behalf of health systems, hospitals, medical groups and physician practices. He will traverse the important aspects of regulatory requirements, key provisions, valuation considerations and potential pitfalls that should be avoided when dealing with physician practice acquisitions.

Thorough assessment is necessary

Prior to making any kind of physician practice acquisition arrangement, both healthcare practices and physicians should very thoroughly and meticulously assess whether the proposed structure and financial terms are compliant with the Stark Law’s underlying technical requirements and key tenets of defensibility. This will help them defend themselves when this arrangement is challenged. Wolfe will discuss these as they apply to physician practice acquisitions.

Wolfe will cover the following areas at this session:

• Provide a general Stark Law overview
• Examine critical regulatory requirements related to physician practice acquisitions
• Discuss best practices for drafting purchase agreements and the related financial terms
• Discuss best practice for drafting post transactions service arrangements (e.g. employment, professional services, etc.) and the related financial terms
• Review processes for documenting fair market value and commercial reasonableness.

 

Ransomware and HIPAA risks are now closely hemmed together

Ransomware and HIPAA risks are now inseparable. After a lot of deliberation, ransomware has now become part of HIPAA compliance for Business Associates and Covered Entities that have to show HIPAA compliance. This became official on July 11, 2016, when the HHS issued a new guideline that makes ransomware attacks part of reportable HIPAA breaches.

Although players in the healthcare industry were strident in their thinking that ransomware and HIPAA risks should be kept separate; what precipitated this decision was the finding by the US interagency report, which suggested that in just one year from the middle of 2015, there has been a fourfold increase in the number of ransomware attacks, bringing the number of these attacks on Protected Health Information (PHI) to an alarming 4000 a day.

Ransomware and HIPAA risks have come together primarily for this reason, with the HIPAA’s new guideline seeking to suggest steps that need to be taken by Business Associates and Covered Entities to identify a ransomware attack and report it, thereby preventing the potential loss it causes to PHI.

First, a brief understanding of ransomware

Ransomware can be defined in simple terms as malicious software that is different from other kinds of malware. It differs fundamentally by attempting to deny access to a user’s data at the source. Ransomware hackers encrypt the data with a key that is known only to them, and release it only after a ransom is paid to them by the user. Ransomware and HIPAA risks have come together after the realization by the HHS about the dangers of this kind of malware.

Business Associates and Covered Entities are in for a jolt when HIPAA investigations relating to ransomware breaches find malpractices. It can ruin the said practice or business. If ransomware is detected, HIPAA considers it a serious breach of security. Such an entity is heavily penalized, and its reputation is at stake.

How are ransomware and HIPAA risks associated with each other?

The HHS, which is responsible for HIPAA implementation, has issued the new guidelines about ransomware and HIPAA risks.

These include:

• Taking measures to implement a security management process, of which carrying out a risk analysis that helps identify vulnerabilities and threats to the PHI and implementing steps to mitigate these are a part;
• Putting in place measures that detect and guard against malicious software;
• Helping to protect data by training users on malicious software about identifying and reporting these, and
• Putting in place access controls by which only designated personnel are authorized and permitted access.

These measures on ransomware and HIPAA risks sit along with the existing Security Rule of the HIPAA, which has its own set of steps and rules that need to be taken to protect data privacy.

How do steps for checking ransomware and HIPAA risks need to be implemented?

The important steps needed for checking ransomware and HIPAA risks are suggested above, but one needs professional help in order to implement the right steps for identifying and containing ransomware and HIPAA risks.

The exact ways of doing this will be the content of a webinar that MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, is organizing.

Brian L Tuttle, who is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP) and Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be the speaker at this webinar. To understand how to prevent your practice from being hauled up by HIPAA or being sued for class action in the case of a large breach; register for this webinar by visiting

The proven and established means of protecting businesses and practices from ransomware attacks and breaches and from HIPAA actions will be discussed threadbare at this webinar.

An understanding of the risk factors

During the course of this webinar, Brian will also explain what the highest risk factors for being sued for wrongful disclosures of PHI are, and the manner in which patients are now using state laws to sue for wrongful disclosures. He will also delve into specific information about multiple incidents, which will help practices and businesses understand what they did wrong that led to a HIPAA risk of ransomware.

Apart from offering an explanation of the variables that need to be considered; Brian will also discuss specific questions the Office of Civil Rights investigators and FBI are likely ask and the ways of giving them the best answer. This very valuable session on ransomware and HIPAA risks will educate participants on the ways of preventing a breach altogether.

Brian will cover the following areas at this webinar:

• What is ransomware?
• What are risk factors?
• What to do if hijacked
• Audit Process
• What can cause an audit
• How to avoid these issues altogether
• What to do in the event of an audit
• How to speak and deal with Federal auditors
• Risk Assessment
• Best resources

HIPAA and suing need to be understood fully when contemplating action

HIPAA and suing are two important elements closely related to each other. When HIPAA and suing are discussed, what needs to be borne in mind is that an individual cannot sue HIPAA. Yes, you are reading it right. An individual cannot sue a Covered Entity or Business Associate for violation of privacy of medical records. So, does this mean that HIPAA is empowered with carte blanche powers to do what it likes with your medical records?

No. What has just been stated is that an individual cannot sue HIPAA itself, but can seek legal remedy when she believes that there has been an unlawful violation of her someone else’s privacy rights relating to her health information, or a breach of Privacy, Security, or Breach Notification Rules, by filing a complaint with the Office of Civil Rights (OCR) under State law.

Who can be sued?

HIPAA is clear about who can be sued for healthcare information privacy violations. An individual can seek legal action against a Covered Entity –consisting of any of these – health plans themselves, healthcare clearinghouses, or healthcare providers that use the electronic medium to carry out many of their transactions –or any of their Business Associates.

Provisions related to suing under HIPAA need to be fully understood before proceeding legally. Since HIPAA and suing is a legal matter, it needs to be completely understood if an individual is contemplating suing under HIPAA.

A webinar from MentorHealth on HIPAA and suing

All the major aspects of HIPAA and suing will be the topic of a webinar that MentorHealth, a leading provider of professional trainings for all the areas of regulatory compliance, will be organizing. Brian Tuttle, a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting, will be explaining all the important areas relating to HIPAA and suing.

To understand the core elements of HIPAA and suing, enroll for this important webinar by visiting

http://www.mentorhealth.com/control/w_product/~product_id=800905LIVE/~sel=LIVE/~Brian_Tuttle/~HIPAA_and_Suing_-_Trial_Attorneys_Are_More_Dangerous_Than_The_Federal_Government.

At this session, Brian will attempt to clear the major issues relating to HIPAA and suing and will give participants an understanding of the factors that could invite a letter or a visit by the Office of Civil Rights and ways of dealing with it.

In the course of explaining the ingredients relating to HIPAA and suing; Brian will cover the following areas:

• Updates for Omnibus
• Patients suing – how does this work
• Fines from HHS
• Audit process
• Real life audits and litigated cases
• New patient legal remedies and how to lower risks
• State laws and patient remedies
• Portable devices
• Emailing and texting
• Business associates and the increased burden
• Breach notification
• Risk factors for being sued or audited

 

 

 

Being Prepared for a HIPAA Audit

A HIPAA audit is very important for service providing organizations, because the penalties for violations can bring their business down. It is important to understand the nuances of a HIPAA audit if one has to be successful.

A HIPAA audit is, for many service providing organizations, a make or break situation. This is because HIPAA audits are considered stringent. Violations can attract huge penalties, which is why getting it right the first time is extremely important. An entry level HIPAA violation can cost the organization upwards of $200,000, and the highest can run into multiple seven-figure amounts. So, an organization has to ensure that it gets its HIPAA audit right.

Risk analysis is the heart of the matter

Insulating oneself from heavy HIPAA audit violations requires service providers to be compliant with HIPAA audit requirements. Conducting a comprehensive risk analysis is the perfect solution to a HIPAA audit. These may appear to be no-brainers, but at its core, a HIPAA audit looks for these critical areas, so it is all the wiser for organizations to ensure these basic requirements to get the audit of their Security Rule and Privacy Rule right.

A thorough and comprehensive risk analysis has to be done to offset HIPAA violations, since a HIPAA audit can happen across the broad for a large number of parameters. HIPAA expects the service providers it audits to not only have these; they should also demonstrate so.

What practices are necessary for passing a HIPAA audit?

While being compliant with the risk analysis requirements is at the core of being compliant with HIPAA audit requirements; other tips can go some way in helping organizations understand ways by which to deal with HIPAA audits:

• Any plans relating to the service provider’s data management, security, training and notification should be documented
• A secure access password policy has to be put in place
• Although not a strict HIPAA requirement, encrypting Protected Health Information, irrespective of whether the PHI is in a database or in files on a remote server, is a good practice
• Using SSL whenever there is web access of sensitive data is a good idea
• Only some, select members of the organization should have knowledge of the techniques relating to encryption and the way they work
• Scans and images should be encrypted and should contain no personally identifiable information
• Avoid using public FTP
• Only VPN access is best used for remote access
• A disaster recovery plan should be documented

Read More : http://www.mentorhealth.com/control/w_product/~product_id=800893LIVE/

Staying compliant with HIPAA’s fundraising requirements

Rules implementing The Health Insurance and Portability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2003 (HITECH) underwent changes as a result of amendments brought about by the US Department of Health and Human Services in 2013.

Fundraising is among the areas of change these rules covered. Important areas such as the methods and practice that hospitals, their institutionally related foundations, and other healthcare charities may or must exercise when using any patient or client information for fundraising amendments have been modified significantly.

Change in types of information to be used for fundraising

The new rules include specific operational requirements, some of which prohibit protocols that were required under the original HIPAA regulations. The types of information that may be used for fundraising have also changed significantly under these amendments. As a result, there are now numerous fundraising opportunities, as well as challenges on the use and storage of related information.

Joel Simon, an expert on the fundraising aspects of HIPAA and one of the nation’s leading experts on the fundraising aspects of HIPAA, will be the speaker at a webinar that MentorHealth, a leading provider of professional trainings for the healthcare industry, will be organizing to offer clarity on the fundraising aspects of HIPAA.  To enroll for this webinar, register by logging on to http://www.mentorhealth.com/control/w_product/~product_id=800867LIVE/~sel=LIVE/~Joel_Simon/~Fundraising_Under_HIPAA:_What_You_Need_to_Know,_What_You_Need_to_Do.

Implementing compliant strategies

The import of the most important words mandated by HIPPA-related regulations changed in multiple areas. Joel will explain how to effectively implement the fundraising regulations in a manner that increases both opportunities for philanthropic support and stays compliant with the new mandates. The speaker will suggest ways by which to ensure that an organization is both legally compliant and operationally effective.

This learning is important for a number of reasons:

• Fundraising institutions that have access to of HIPAA Protected Health Information need to be aware of opportunities to strategize their fundraising in order to maximize philanthropic revenue for their organizations;
• Fundraising organizations that use telephone or e-mail solicitations need to learn how new specific provisions of HIPAA now govern their fundraising activity, as well as effective policies to put in place to implement these rules;
• Health related institutions that go for fundraising must make sure their fundraising practices meet compliance requirements and minimize the compliance risks and satisfy mandates governing the use of patient/client information;
• A healthcare professional who is affiliated with a fundraising institution should know how to remain both ethically and legally compliant with patient privacy, while assisting both her affiliated institution and her patient/client;
• Institutions will need to learn about compliance requirements for donor database management, as well as how to implement effective and efficient strategies needed to maintain compliance.
• Keeping fundraising communication and related policies compliant without impairing operational effectiveness is important.

Joel will cover the following areas at this webinar:

• New types PHI that may be used for fundraising
• New requirements for Notice of Privacy Practices
• New requirements for protocols to allow patients to opt-out of using their PHI for fundraising.

Ensuring HIPAA Compliance and Avoiding Penalties

The combination of the implementation of new HIPAA regulations in the HIPAA Omnibus Update of 2013 and increased enforcement and audit activity has forced healthcare organizations to review their compliance and to ensure that they have the proper policies, procedures, and forms in place.

Because of this, HIPAA Privacy Officers have been renewing their compliance activities and reviewing their documentation to make sure they can meet the challenges of the new rules and avoid breaches and penalties for compliance violations. In addition, the department of Health and Human Services (HHS) has been issuing new guidance and new enforcement settlements, which provide extensive insights into what behavior is permissible by a Covered Entity and what is not.

Under HIPAA and the Clinical Laboratory Improvement Amendments (CLIA); patients also now have new rights to directly access test results from the laboratories that create the data. Labs that did not deal directly with patients before will now have to create patient-facing operations. The way in which they communicate sensitive results to patients will come under scrutiny.

A complete training session

In view of all these; it is necessary for professionals in the healthcare industry to understand the ways by which to comply with HIPAA. A learning session that will provide background on the guidance and enforcement activity and identifies key issues for HIPAA Privacy Officers to focus on is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems, LLC, will be the speaker at this session. Just visit Mentorhealth to enroll for this high-value webinar session.

Aimed at Covered Entities and Business Associates

All the aspects of importance to HIPAA Privacy Rule compliance, such as what is new in the regulations, what change one needs to implement in one’s organization, and what Covered Entities and Business Associates need to address for ensuring compliance are some of the issues Jim will cover at this session.

He will provide the background and details of the most important privacy issues that any healthcare information privacy officer needs to know, what needs to be done for HIPAA compliance, and what can happen when compliance is not adequate. He will explain audits and enforcement, and how Privacy regulations relate to Security and Breach regulations, apart from teaching how to respond to privacy and security breaches and ways of preventing them. Jim will offer many references to all these points.

The following areas will be covered at this webinar:

• Overview of HIPAA Regulations
• Responsibilities of the HIPAA Privacy Officer
• HIPAA Privacy Rule Principles, Policies and Procedures
• Recent Changes to the HIPAA Rules
• Implementing the New HIPAA Omnibus Rules
• HIPAA Security and Breach Notification Rule Principles
• Documentation, Training, Drills and Self-Audits
• HIPAA requirements for access and patient preferences, as well as the requirements to protect PHI
• How HIPAA audit and enforcement activities are now being increased and what you need to do to survive a HIPAA audit.