Category: Audit

The First Steps to Becoming HIPAA Compliant

When we schedule an appointment to go over HIPAA compliance with a new client, we are always asked, “Where do I even start?” by the owner or practice manager. Becoming HIPAA compliant is a complex proposition that takes time, knowledge, and persistence. There are many steps involved, but the first steps are always the same: appoint a Compliance Officer and perform a full Security and Privacy Risk Assessment.

Appointing a compliance officer should be the easier of those two steps. Pick a person who has enough time to dedicate to compliance. For a smaller practice, this might be a couple of hours per week. For a larger organization, you may need someone who devotes all of their time to compliance.

Choose a compliance officer who will care about compliance. It is their job to watch for violations throughout the organization. A complacent compliance officer will likely result in violations being overlooked or no action taken when violations are found.

Your compliance officer will need to learn the laws, prioritize compliance tasks, and be able to delegate certain tasks to the proper departments. Do not pick an employee who has trouble delegating these tasks. A compliance officer will generally be unable to complete all compliance tasks on their own.

After choosing a compliance officer, the next step is possibly the most important aspect of compliance: the full security and privacy risk assessment. This assessment will take at least a day or two to complete for a smaller practice and could take many days or weeks for larger organizations.

A risk assessment is a basically a full inventory of your technology, your privacy and security policies, and your employee training levels. You will start by documenting every piece of equipment that stores or has access to PHI (protected health information). You will then be tasked with deciding if PHI is adequately protected (according to the law) against unauthorized access. Unauthorized access includes access by employees who shouldn’t be accessing a particular record and non-employees who shouldn’t have access to any records.

Next, you will be reviewing company policies regarding patient privacy, and data security. If you do not have any policies in place, you will be writing those policies from scratch. If you have some policies, but are missing others, you will need to add the missing policies. For instance, if your organization doesn’t have a documented policy for handling suspected breaches, you will need to write one. Or if your organization doesn’t have a policy for employee passwords (how often they should be changed, two factor authorization for remote access, password sharing, etc) you will need these policies added to your employee handbook.

Now comes employee training documentation. You will need to find out the last time each employee was trained on HIPAA policies. If it’s been more than 12 months, that employee should be retrained immediately. All employees should be retrained every 12 months whether there have been changes to HIPAA policies or not.

After you finish this initial risk assessment, then you begin the task of remediating all of the gaps you found. If few gaps were found, this process can be quick. Maybe a few weeks. If you find that your organization is missing lots of documentation, policies, or proper security measures, the process of remediating these gaps can take months or years depending on the size of your organization.

Business Associate Agreements Between Covered Entities

During our mock HIPAA audit process, we always verify Business Associate Agreements (BAAs) for our clients who are either Covered Entities (CEs) or Business Associates (BAs). In the process of deciding which BAAs are required, we are often asked about what agreement needs to be in place between two CEs who are working together.

For instance, one physician may refer a patient to a specialist physician. The first physician may send over medical records to the specialist. My clients want to know if a BAA is required between these two physicians.

At first glance, it seems as though a BAA might be required. Let’s look at the law itself:

 

Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

  • (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
  • (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3)Business associate includes:

  • (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
  • (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
  • (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4)Business associate does not include:

  • (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
  • (ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
  • (iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
  • (iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

The answer, it turns out, is that two CEs both treating the same patient do not need a BAA to share Protected Health Information (PHI).

For Example:

  • A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
  • A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
  • A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

Alternatively, there could be a situation where two Covered Entities want to work together and share PHI for patients that aren’t being treated by both CEs. In that case, a Covered Entity can also be classified as a Business Associate requiring a Business Associate Agreement between the two organizations.

It is unusual for a Covered Entity to be a BA of another Covered Entity, but it does happen. For instance, two research hospitals might be working together on a research project. They may share PHI in the course of their research. If both CEs aren’t treating the patient, depending on other circumstances, the two hospitals may need a BAA on file

If your situation doesn’t involve caring for the same patient, double check the law and see if you need a Business Associate Agreement.

If you fall into the majority by only sharing PHI with other CEs who are also treating your patient, you should not need a formal agreement drawn up and signed.

How to Prepare For HIPAA Breaches

There are many steps you can take to prepare your organization for a HIPAA breach. If you are proactive, you can mitigate the severity of a breach considerably. And if you have the right policies in place, you can save your practice from large fines and other financial costs. Lets go over the things your practice should do to prepare for a HIPAA breach.

Be Prepared

The first step to handling HIPAA breaches is preparation. Do you have a written policy outlining steps to follow if you suspect or know there is a breach? Your written policy should touch on everything else I will mention below. It should be fairly comprehensive including who is in charge of investigating the breach and how each step will be handled.

Train Your Staff

Writing a plan is not enough, your employees must be taught how to find and follow that plan. During your yearly HIPAA trainings you must review the steps an employee should take if they suspect or know about a breach.

Give Employees A Way To Anonymously Report Breaches

It’s the law that employees should not be afraid of retaliation for reporting a breach. To accomplish this, there must be a way for employees to report breaches anonymously if they feel that they would be retaliated against. You must teach them how to report a breach anonymously during their annual HIPAA trainings.

Teach Your Business Associates To Report Breaches Back To You

Make sure each outside company you do business with that has access to your patients’ data is aware that they must report suspected breaches to you. Make sure your Business Associate Agreements are updated to include who is responsible for contacting patients in the case of a breach. Generally you would want this responsibility to fall on the Business Associate if they cause the breach. This moves most of the liability and cost on to the Business Associate who causes a breach.

As Soon As A Breach Is Known About Or Suspected, Perform A Risk Assessment

After finding out about a breach situation, immediately begin an investigation. Perform a risk assessment to find out what was breached and if any Protected Health Information may have been stolen or lost. Find out what caused the breach so you can remediate any gaps you have in security or policies.

Notify All Affected Parties

You have 60 days from finding out about the breach to notify any patients whose data was breached. You will need to send notices by first class mail (or email if your patients have opted in to receive notices that way) to each patient affected. You will likely be required to provide credit monitoring to the affected patients. You must also notify the Office of Civil Rights about any breaches. If a breach affects fewer than 500 patients, you must notify the OCR within 60 days of the end of the calendar year in which the breach was discovered. If a breach affects 500 or more patients, you must notify the OCR within 60 days of discovery of the breach and you must contact the media and provide them with a press release. Contacting the media allows the affected patients to find out about the potential threat of identity theft more quickly.

Log Everything

If there is a breach. From day one, start logging everything: any discussions you have with employees, any information about the breach, whom you contact, what led to the breach, what you are doing to stop future breaches, etc. Log it all and keep it on hand for the OCR. They will want to see that you acted promptly and did what you could to protect your patients.

OCR Announces Fines for Breaches Affecting Fewer Than 500 Patients

As a HIPAA compliance IT consultant I work with many small dental and medical practices that are affected by HIPAA regulations. For many years, dental practitioners and boutique medical service providers have been able to fly under the radar of the OCR (Office of Civil Rights) and not worry about audits or fines resulting from breaches. However, in 2016 the OCR began to perform random audits of all covered entities and their downstream business associates. And with the new announcement that the OCR will issue fines for breaches affecting 500 or fewer patients, we will see an even bigger focus on HIPAA compliance from these small practices.

Our service offering, PracticeProtect, has seen a recent uptick in sales as more medical service providers are made aware of the dangers of non-compliance. Where practice owners were once unconcerned with the possibility of an audit and thus lax with their security policies, we are now seeing a strong focus on compliance. Many practice owners have spent so long not focusing on compliance that they aren’t aware of just how non-compliant they are. Our first visit with a new client includes an initial HIPAA risk assessment where we cover twenty topics that are usually problem areas for a small practice. We generally find that practices are initially compliant in less than five of those twenty areas.

There are considerable investments in both time and money to become compliant. Many practices have weighed the cost/benefit ratio before and found that the risks weren’t great enough to warrant the investment. But that cost/benefit ratio is changing and I believe more and more practices will be investing in compliance over the next few years.

Read here about the first case where the OCR issued a fine for a breach that affected less than 500 patients. A laptop containing 441 patient medical records was stolen. At the time, the organization that owned the laptop had not performed a HIPAA security risk assessment, nor did they have any policies or practices in place to prevent a breach like this one. Simply encrypting the data on the laptop and password protecting the encryption would have stopped this breach. Because the organization had no procedures in place, the OCR levied a $50,000 fine. Since the breach occurred in 2010, that organization has brought itself into compliance. But they could have avoided the breach and the fine all together if they had been prepared for this. The likely cost of compliance would have been a fraction of the fine they paid.

If you are a small medical or dental practice, let J.J. Micro perform a free HIPAA risk assessment to find out where you stand with HIPAA compliance. There are no strings attached to this risk assessment. You are free to do what you like with the information we provide. We are not government auditors and do not report any security risks to the OCR. We are only here to help you bring your business into compliance.

The Importance of Encryption for HIPAA Compliance

Encryption. . .what does it mean to encrypt something? Why is it important? And why is it particularly important for covered entities and business associates in the health services industry? What can you do to make sure your data is encrypted while it is being transferred from one place to another and while it is at rest on servers and backup drives? These are all questions I am asked regularly when I do initial HIPAA risk assessments and audits. My clients tend to downplay the importance of encryption initially until they fully understand the risks of not encrypting data properly.

Encryption is defined as the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. If you were to send a file across the internet in a non-encrypted format, it could be intercepted anywhere along the way and you would have no idea that your data had been breached. Additionally, if you were to store data on a storage device in a non-encrypted format, and that device was lost or stolen, your data would be accessible to anyone. Using encryption nullifies both of those scenarios by only allowing someone with your secret encryption key to decrypt the data and read it.

For the purposes of HIPAA compliance, encryption is absolutely necessary for one particular category of data: protected health information (PHI). This includes patient medical records, personal patient information like phone numbers, addresses, and social security numbers. Encryption of PHI is important for a few reasons. First, and foremost, you have a duty to your patients to keep their personal information safe from unauthorized access. One quick way to lose patients and your practice is to betray patient trust. Additionally, as a covered entity or business associate you are bound by federal law to protect PHI from breach or loss. The Office of Civil Rights has the authority to fine you up to $50,000 per record breached or lost if they deem that you haven’t implemented and followed a good faith HIPAA compliance plan.

email encryptionWhat is a practice to do? How can you be sure your PHI is encrypted? There are three places you’ll want to double check for encryption. During our HIPAA audits we most commonly find that practices aren’t employing encryption when emailing patient health records to other practices or to the patients themselves. This is a fairly easy problem to fix. There are a multitude of available email encryption services such as Virtru, Office 365 Encrypted Email, and Hushmail. These services generally integrate directly into your browser or Microsoft Outlook so that it’s as easy as pressing a button to convert any email into an encrypted email that requires the user at the other end to verify their identity to receive the email.

It is more complicated to find out if the other two categories have HIPAA compliant encryption enabled. These two areas are data stored on devices like servers, desktops, laptops, and mobile phones. And separately, data stored on backup devices and backed up to the cloud. You will want to contact a HIPAA compliant IT specialist to verify that your devices and backup storage is HIPAA compliant. An IT specialist can tell you what level of encryption you are using and whether the encryption is turned on and configured properly. Additionally, in the case of a cloud backup service, the IT specialist can make sure that the cloud provider is HIPAA compliant themselves and is willing to sign a Business Associate Agreement (BAA) for your practice and share some of the liability for storing that sensitive data.

J.J. Micro IT Consulting is available for a free HIPAA risk assessment. During that assessment we will look for proper encryption methods in addition to possible HIPAA compliance issues in the categories of security, privacy, and administrative procedures. Please give us a call at 636-556-0009 to schedule an appointment today.

HIPAA Audits Are Coming To Dental Practices

Starting in February of 2016, the Office of Civil Rights (a division of the US Department of Health and Human Services) began phase 2 of the HIPAA audit program. What does this mean for dental practitioners and other health service providers? What does a health service provider need to do to be prepared for an audit? And what happens if a provider isn’t prepared?

Let’s start with a little bit of history on HIPAA audits. In 2011 the OCR began Phase 1 of the HIPAA audit program. They selected 115 covered entities to audit for HIPAA compliance. A covered entity is defined as:  health plans,health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. At the time, they weren’t worried about Business Associates or other tangentially related businesses. These audits were very targeted and didn’t affect most health practitioners.

Microsoft Word - Address Verification Email.docx
OCR Sample Contact Letter

Fast forward to 2016 and the OCR has begun Phase 2 of this audit program. Instead of targeting just 115 providers, they are now compiling a comprehensive list of all medical service providers in the United States and will be reaching out to each provider via phone, mail, or email. Click here to view a sample contact letter. Once they add you to their list, they will make contact to find out who your HIPAA compliance officer is and ask for your HIPAA compliance documentation. They will expect you to have comprehensive documentation that generally adds up to somewhere between 50 and 150 (sometimes more) pages of legal documents, policies, training records, and other documentation.

You should already have a binder that contains all of this documentation ready to go. Part of being HIPAA compliant is being able to prove that you are HIPAA compliant. When performing HIPAA risk assessments for our clients, we generally find HIPAA documentation to be lacking or non-existent. If you don’t already have a HIPAA compliance binder, start one today. You’ll need copies of all of your policies surrounding HIPAA, records of employee HIPAA trainings, results of recent and regular internal HIPAA audits, and other documentation. If you don’t know where to start, contact J.J. Micro at 636-556-0009. With our PracticeProtect™ offering, we will help you every step of the way towards full compliance and documentation.

What happens if you are contacted and you aren’t ready for an audit? The OCR will give you 10 business days to respond with your documentation. If they don’t receive your documentation within 10 days, they will schedule a site audit. During a site audit, they will still want to see all of your documentation, but they will also want to interview your employees and look for any potential breeches or lack of documentation. From there, they will begin levying fines based on the severity of potential breeches. Benign issues could be $100 per issue, serious issues can be up to $50,000 per issue.

On average it takes somewhere between three and six months for one of our clients to go through the process of becoming HIPAA compliant. Do not wait until you are contacted by the OCR to begin the process. 10 business days is not enough time to gather all of the information, come up with your own policies, document everything, and provide the proper training for all of your employees. Get started now with PracticeProtect™!