Seminar on HIPAA 2019 | HIPAA Security Risk Assessment | What’s new?

Description:

This two-day seminar will get into the fine details of what we need to do and how to do it.

We will go point by point through the entire HIPAA Security Rule and uncover simple methods to comply and create policy.

The primary goal is to ensure everyone is well educated on what is myth and what is reality with this law, there is so much misleading information all over regarding the do’s and don’ts with HIPAA – I want to add clarity for compliance officers

It will also address major changes under the Omnibus Rule and any other applicable updates for 2018.

Why you Should attend:

Join me in this two day seminar to explore what’s new with HIPAA both from a regulation standpoint (new requirements) and an enforcement standpoint

Omnibus has changed the HIPAA landscape for good!

Do you know all of the requirements of this enigmatic law?

Are you abiding by them?

My goal is to make this extremely complex enigma known as “HIPAA” very easy to understand with a painless step by step approach to an otherwise harrowing task… Times have changed and new laws are now in place concerning protected health information. The best way to protect your practice or business and save yourself future headaches and possible litigation or Federal fines is to be proactive instead of reactive

This once rarely enforced law has changed and you need to know what’s going on!

Protect your practice or business!

Areas Covered in the Session:

Study all 18 Standards and 44 Implementation Specifications of the regulations

Updates for 2019

Requirements of Compliance Officers

New definition of what constitutes protected health information

Real life litigated cases

BYOD

Portable devices

Business associates and the increased burden

Emailing of PHI

Texting of PHI

Federal Audit Process

HIPAA and suing – how this works

Risk Assessment

Who Will Benefit:

Practice managers

Any business associates who work with medical practices or hospitals (i.e. billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc)

MD’s and other medical professionals

Agenda:

Day 1 Schedule

Lecture 1:

HIPAA a Brief History

Lecture 2:

HIPAA Privacy vs Security

Lecture 3:

New definition of what constitutes protected health information

Lecture 4:

HIPAA and the Business Associate

Lecture 5:

Through examination of all 18 Standards and 44 Implementation Specifications of the HIPAA Security Rule and how to apply them

Lecture 6:

How to enforce policy for each standard and implementation specification

Lecture 7:

HIPAA and litigation

Day 2 Schedule

Lecture 1:

The Federal Audit Process and things to be ready for

Lecture 2:

HIPAA and Suing – how this works and examples of real cases

Lecture 3:

Technology and HIPAA – best practices and big “no-no’s”

Lecture 4:

Ransomware, Viruses, bad technology

Lecture 5:

HIPAA Texting and Emailing – myth vs reality

Lecture 6:

Personal Devices and HIPAA

Lecture 7:

HIPAA and the Audit Process

Lecture 8:

How to conduct a HIPAA Security Risk Assessment

Speaker:

Brian L Tuttle

ex-FDA Expert and former Associate Center Director of CDRH

Brian L Tuttle is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified HIPAA Administrator (CHA), Certified Business Resilience Auditor (CBRA), Certified Information Systems Security Professional (CISSP) with over 18 years’ experience in Health IT and Compliance Consulting.

With vast experience in health IT systems (i.e. practice management, EHR systems, imaging, transcription, medical messaging, etc.) as well as over 18 years’ experience in standard Health IT with multiple certifications and hands-on knowledge, Brian serves as compliance consultant and has conducted onsite and remote risk assessments for over 1000 medical practices, hospitals, health departments, insurance plans, and business associates throughout the United States.

Location: Miami, FL Date: April 18th & 19th, 2019 and Time: 9:00 AM to 6:00 PM

Venue: Hyatt Place Miami Airport East, 3549 NW 42nd Ave, Miami, FL 33142, USA

Price:

1 ATTENDEE $2,000, Register for 1 attendee

5 ATTENDEES $10,000, Register for 5 attendees

10 ATTENDEES $20,000, Register for 10 attendees

Until March 10, Early Bird Price: $2,000.00, From March 11 to April 16, Regular Price: $2,200.00

Sponsorship Program benefits for seminar

For More Information

Contact us today!

NetZealous LLC DBA GlobalCompliancePanel

globalcompliancepanel@gmail.com

Toll free: +1-800-447-9407

Phone: +1-510-584-9661

Website:

Registration Link

Like us our Facebook page:

Virtual Seminar on HIPAA Training for Compliance Officer

This 6-hour seminar will be addressing how practice/business managers (or compliance offers) need to get their HIPAA house in order before the imminent audits occur. It will also address major changes under the Omnibus Rule and any other applicable updates for 2018.

Areas also covered will be texting, email, encryption, medical messaging, voice data and risk factors as they relate to IT.

The primary goal is to ensure everyone is well educated on what is myth and what is reality with this law, there is so much misleading information regarding the do’s and don’ts with HIPAA -I want to add clarity for compliance officers and what you guys need to do and how to best implement your HIPAA program based on over 18 years of personal experience working with Federal auditors, state auditors, and corporate auditors.

We will go through multiple scenarios that are commonly faced by compliance officers and how to manage these situations

I will also speak to real life litigated cases I have worked where HIPAA is being used to justify state cases of negligence -THIS IS BECOMING A HUGE RISK!

In addition, this course will cover the highest risk factors for being sued as well as being audited (these two items tend to go hand in hand).

Why you should attend

Join me in this in depth 6-hour seminar where we will get into the nitty-gritty about the roles and responsibilities of a HIPAA Compliance Officer.

Do you have an affective HIPAA compliance program? Do you know what needs to be done to satisfy the requirements?

New laws, funding, and enforcement mean increased risk for both business associates and covered entities – 2017 was a record year for enforcement and fines – 2018 will be no different.

HIPAA Omnibus – Do you know what’s involved and what you need to do?

What does Omnibus mean for covered entities and business associates?

Why should you be concerned?

Court cases that are changing the landscape of HIPAA and patient’s ability to sue!

TRIAL ATTORNEYS ARE MORE DANGEROUS THAN THE FEDERAL GOVERNMENT!!

It is important to understand the new changes going on at Health and Human Services as it relates to enforcement of HIPAA for both covered entities and business associates. You need to know how to avoid being low hanging fruit in terms of audit risk as well as being sued by individuals who have had their PHI wrongfully discloses due to bad IT or internal administrative practices.

Who Will Benefit

Practice Managers
Any Business Associates who work with medical practices or hospitals (i.e. billing companies, transcription companies, IT companies, answering services, home health, coders, attorneys, etc)
MD’s and other medical Professionals

Agenda

Updates for 2019
Requirements of Compliance Officers
New definition of what constitutes protected health information
Real life litigated cases
BYOD
Portable Devices
Business associates and the increased burden
Emailing of PHI
Texting of PHI
Federal Audit Process
HIPAA and suing – how this works
Risk Assessment
Ransomware and how to avoid
What to do when a breach occurs
Best Resources

Speaker Profile

Brian L Tuttle, CPHIT, CHP, CBRA, Net+, A+, CCNA, MCP is a Certified Professional in Health IT (CPHIT), Certified HIPAA Professional (CHP), Certified Business Resilience Auditor (CBRA) with over 15 years’ experience in Health IT and Compliance Consulting. Mr. Tuttle has worked all of those 15 years with MAG Mutual Healthcare Solutions and is now Senior Compliance Consultant and IT Manager with InGauge Healthcare Solutions (previously named MAG Mutual Healthcare Solutions). Almost all of Brian’s clients are earned by referral with little or no advertising. Brian is well known and highly regarded in medical circles throughout the United States .

Click Here to Continue Reading

200+ followers. WOWWWWWW…

Hello Everyone,

Today we have the pleasure of celebrating the fact that we have reached the milestone of 200+ followers on WordPress. Since we started this blog, we have had such a great time connecting with everyone. we never expected to actually to connect with other people in the blogging community.

we are so incredibly thankful for each and every one of you who follows and comments on my blog posts. Please know that!

we would continue our blogging in these areas FDA Regulation, Medical Devices, Drugs and Biologics, Healthcare Compliance, Biotechnology, Clinical Research, Laboratory Compliance, Quality Management ,HIPAA Compliance ,OSHA Compliance, Risk Management, Trade and Logistics Compliance ,Banking and Financial Services, Auditing/Accounting & Tax, Packaging and Labeling, SOX Compliance, Environmental Compliance, Microsoft Excel Spreadsheet, Geology and Mining, Human Resources Compliance, Food Safety Compliance and etc.

Get more article – https://www.globalcompliancepanel.com/freeresources/resource-directory

Please follow us on

Facebook – https://www.facebook.com/TrainingsAtGlobalCompliancePanel

Twitter – https://twitter.com/gcpanel

LinkedIn – https://www.linkedin.com/company/10519587/admin/updates/

Internal Audit Checklist for HIPAA

The internal audit checklist for HIPAA is one of the primary elements of HIPAA implementation. The passage of the Health Insurance Portability and Accountability Act (HIPAA) by the U.S. Congress in 1996 was aimed at regulating the way and process by which healthcare institutions across the country reveal the medical information of their patients.

The Department of Health and Human Services (HHS) is tasked with monitoring the compliance aspect of the law, i.e., it monitors how medical organizations comply with the provisions of HIPAA. In order to ensure that medical organization stay compliant with the provisions of HIPAA; auditors measure these compliance aspects with a checklist when testing companies’ medical data recording processes.

The internal audit checklist for HIPAA, like any other checklist, is a list of do’s and don’ts that a healthcare organization has to look to see if it is complying with its processes relating to medical data sharing and recording. These are the core areas against which auditors prepare and monitor the internal audit checklist for HIPAA:

Analysis and assessment of risk

One of the foremost aspects of the internal audit checklist for HIPAA is the organization’s analysis and assessment of the risk involved in disclosing medical information. Medical organizations of the designated types have to carry these out at regular, periodic intervals in ensuring that they don’t give opportunities for causing data breaches. Since healthcare organizations are involved in collecting, keeping and transferring of medical information; it is necessary for them to keep analyzing and assessing the risk involved in data breaches.

Gap analysis

In this category of internal audit checklist for HIPAA; auditors compare regulatory guidelines to security systems in the corporate sector. The idea is to help the medical organization outline its security requirements vis-a-vis its security infrastructure

Remediation

In this internal audit checklist for HIPAA; the healthcare organization relies on a number of technologies and steps to prevent any breach of data, and to also offset the damage done when a breach happens. The primary tools used in this internal audit checklist for HIPAA include software used for tracking defects, for process reengineering, CRM and a few ERP applications.

Planning for contingencies

An internal audit checklist for HIPAA also includes a set of plans that the healthcare organization has to have to be able to plan for contingencies. A healthcare organization can expect emergencies or disasters from any source, and these can be of any kind. An internal audit checklist for HIPAA should include plans for anticipating and dealing with these.

Personnel policies

The policy a healthcare organization puts in place for its personnel is an important point in the internal audit checklist for HIPAA. It has to decide what kinds of trainings its staff members receive for implementing HIPAA compliance.

click to continue reading

Las Vegas hospitals must follow regular HIPAA privacy rule

Las Vegas hospita.jpg

After natural disasters, HHS sometimes waives certain HIPAA privacy rule requirements. That’s not usually the case after man-made disasters, such as Sunday night’s massacre in Las Vegas, where more than 50 were killed and hundreds were wounded after a gunman opened fire at a music festival.

Because the HIPAA privacy rule already allows information disclosure in certain cases, such as when public safety is threatened, and because there has been no declaration of a public health emergency, HIPAA waivers have not been necessary in this case.

Local hospitals will have to be careful, especially with so many requests for information from families, friends, and the media, said Mark Swearingen, a Hall Render attorney focused on health information privacy and security.

“Hospitals are going to have to be very careful about vetting and authenticating the individuals who might be calling in to make sure that they’re the type of person they can be sharing information with,” he said.

After Hurricane Harvey struck Texas in August, HHS Secretary Dr. Tom Price waived certain HIPAA penalties, which can range from $100 to $50,000 per violation. Providers would not be penalized for failing to giving out notices of privacy practices, for instance, nor would they be hit for not granting a patient the right to request privacy restrictions.

Meanwhile, other provisions of the HIPAA privacy rule were still in effect, including those that allow providers to disclose protected health information to patients’ families or others involved in their care. Other provisions allow providers to give out protected health information—including to law enforcement—if doing so would lessen a threat to those patients or to the public.

Given those rules, “when you have a shooting, the department has taken the position that a waiver isn’t necessary,” said Marcy Wilder, a privacy and cybersecurity lawyer with Hogan and Lovells, noting that no penalties were waived after the 2016 mass shooting that killed 49 people and injured 58 at Orlando’s Pulse nightclub. “The department wants to be careful here, because if you issue a waiver, that becomes a suggestion that without a waiver, these types of disclosures aren’t permitted,” she added.

Swearingen warns that Las Vegas hospitals therefore need to be cautious. “The hospital, I would hope, in this circumstance is going to be fairly guarded.”

What should Entities do to avoid HIPAA fines and penalties?

A look at the nature and numbers of HIPAA breaches over just the couple of years makes stark reading: On the one hand, in terms of numbers; 2016, with about 16 million records breached was a pretty good year compared to the previous year, in which about seven times that number, more than 113 million, were breached. But the bad news is that 2016 saw more Covered Entities reporting breaches than in any other year since the Office of Civil Rights (OCR) started publishing its data on healthcare record breaches.

These huge numbers show that not only is there a big demand for these records in the black market -they are in greater demand than even social security and credit cards -Covered Entities and Business Associates need to all that it takes to avoid HIPAA fines and penalties.

The federal government has not been lax on this aspect. It is being extremely vigilant about protecting healthcare records. It has been consistently urging the HHS to take a serious view of the increased incidence of cyberattacks that has resulted in medical records theft and has suggested many measures towards ensuring this. The fact that there has been a steady increase in the global spending on cybersecurity-related hardware, software, and services and could reach $100 billion in 2020, according to estimates by the International Data Corporation (IDC), suggests the seriousness with which this issue is being viewed not just in the US, but all over the world.

One of the primary requirements that Business Associates need to comply with is adherence to HIPAA mandates regarding the handling and use of health information. This is spelt out in the HITECH Act, a recent update made to overall HIPAA regulations. It is mandatory for a Business Associate to comply with a wide range of regulatory obligations, which include certain privacy obligations, security standards, and breach notification requirements.

However, there is a lot of confusion and misunderstanding among Business Associates about their roles and requirements. They must be completely knowledgeable about all the aspects of their roles, functions and requirements before they enter into agreements of contracts with subcontractors and vendors for their services

Learning about ways of avoiding HIPAA fines and penalties

Jay Hodes, who is President and Founder, Colington Security Consulting, LLC, will be providing thorough understanding of the roles and requirements of a Business Associate and Covered Entities in HIPAA enforcement at a webinar that is being organized by MentorHealth, a leading provider of professional trainings for the healthcare industry. Please visit What should Entities do to avoid HIPAA fines and penalties? to get complete clarity of the ways of avoiding HIPAA fines and penalties.

Clarity on how to avoid HIPAA fines and penalties

The aim of this learning session is to help businesses understand what it means to be a Business Associate and know what required safeguards, policies and procedures must be in place or make sure that their current compliance program is adequate and can withstand government scrutiny.

Jay will highlight the importance of being compliant with the HIPAA requirements for an organization if it has to avoid HIPAA fines and penalties. The ways by which a Business Associate or Covered Entity can provide the appropriate patient rights and controls on its uses and disclosures of Protected Health Information (PHI) and what all it has to have in place for doing so, will all be explained.

He will cover the following areas at this session:

Why was HIPAA created?
Who Must Comply with HIPAA Requirements?
What are the HIPAA Security and Privacy Rules?
What are the Consequences of being a Business Associate
What is a HIPAA Compliance Program for a Business Associate?
What is a HIPAA Risk Management Plan?
What is a HIPAA Risk Assessment?
What is the Role of the HIPAA Security Official?
What are HIPAA training requirements?
What is a HIPAA data breach and what happens if it occurs?
What are the penalties and fines for non-compliance and how to avoid them
Case Examples of HIPAA Data Breaches
Creating a Culture of Compliance
Q&A.

Hurricane Harvey HIPAA Reminder

Disasters, which can ultimately lead to a data breach, come in various forms – natural, man-made and technical. HIPAA, the HITECH Act, the Federal Trade Commission and the Securities and Exchange Commission are just a handful of entities requiring that the confidentiality, integrity and availability of the sensitive information (e.g., protected health information (PHI) and personally identifiable information (PII)) remain intact. Although federal HIPAA has distinct categories (e.g., covered entity, business associate, and subcontractor), other state or federal government entities use “covered entity” to mean any person that creates, receives, maintains or transmits PHI or PII.

HIPAA sets forth three main categories of safeguards: administrative, physical, and technical safeguards. Often times, these categories overlap. For example, the administrative requirement of a sanction policy compliments the physical requirement of two-factor identification for building access.

Below are a couple of select sections from the Code of Federal Regulations (CFR), which organizations should be particularly vigilant about in relation to disasters.

•45 CFR §164.310 (Physical) – requires that policies and procedures for facility access in order to restore lost data under the disaster recovery and emergency access plan.

•45 CFR §164.308 (Administrative Safeguards) – multiple requirements are set forth under this particular section of the CFR. For example:

•Security management process

•Annual risk analysis

•Information activity review

•Workforce clearance procedure

•Security awareness training

•Contingency plan

Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.

The Value and Importance of Health Information Privacy

Ethical health research and privacy protections both provide valuable benefits to society. Health research is vital to improving human health and health care. Protecting patients involved in research from harm and preserving their rights is essential to ethical research. The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals’ dignity. At the same time, health research can benefit individuals, for example, when it facilitates access to new therapies, improved diagnostics, and more effective ways to prevent illness and deliver care.

The intent of this chapter¹ is to define privacy and to delineate its importance to individuals and society as a whole. The value and importance of health research will be addressed in Chapter 3.

CONCEPTS AND VALUE OF PRIVACY

Definitions

Privacy has deep historical roots (reviewed by Pritts, 2008; Westin, 1967), but because of its complexity, privacy has proven difficult to define and has been the subject of extensive, and often heated, debate by philosophers, sociologists, and legal scholars. The term “privacy” is used frequently, yet there is no universally accepted definition of the term, and confusion persists over the meaning, value, and scope of the concept of privacy. At its core, privacy is experienced on a personal level and often means different things to different people (reviewed by Lowrance, 1997; Pritts, 2008). In modern society, the term is used to denote different, but overlapping, concepts such as the right to bodily integrity or to be free from intrusive searches or surveillance. The concept of privacy is also context specific, and acquires a different meaning depending on the stated reasons for the information being gathered, the intentions of the parties involved, as well as the politics, convention and cultural expectations (Nissenbaum, 2004; NRC, 2007b).

Our report, and the Privacy Rule itself, are concerned with health informational privacy. In the context of personal information, concepts of privacy are closely intertwined with those of confidentiality and security. However, although privacy is often used interchangeably with the terms “confidentiality” and “security,” they have distinct meanings.Privacy addresses the question of who has access to personal information and under what conditions. Privacy is concerned with the collection, storage, and use of personal information, and examines whether data can be collected in the first place, as well as the justifications, if any, under which data collected for one purpose can be used for another (secondary)² purpose. An important issue in privacy analysis is whether the individual has authorized particular uses of his or her personal information (Westin, 1967).

Confidentiality safeguards information that is gathered in the context of an intimate relationship. It addresses the issue of how to keep information exchanged in that relationship from being disclosed to third parties (Westin, 1976). Confidentiality, for example, prevents physicians from disclosing information shared with them by a patient in the course of a physician–patient relationship. Unauthorized or inadvertent disclosures of data gained as part of an intimate relationship are breaches of confidentiality (Gostin and Hodge, 2002; NBAC, 2001).

Hipaa—Should I Be Worried?

This ongoing column is dedicated to providing information to our readers on managing legal risks associated with medical practice. We invite questions from our readers. The answers are provided by PRMS, Inc. a manager of medical professional liability insurance programs with services that include risk management consultation, education and onsite risk management audits, and other resources to healthcare providers to help improve patient outcomes and reduce professional liability risk. The answers published in this column represent those of only one risk management consulting company. Other risk management consulting companies or insurance carriers may provide different advice, and readers should take this into consideration. The information in this column does not constitute legal advice. For legal advice, contact your personal attorney. Note: The information and recommendations in this article are applicable to physicians and other healthcare professionals so “clinician” is used to indicate all treatment team members.

QUESTION

I have been hearing about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for years, but I have not heard of very much enforcement by the government. Do I really need to be concerned about being found liable for HIPAA violations?

ANSWER

Yes. While it is true that the federal government’s enforcement of HIPAA’s Privacy and Security Rules has been limited in the past, this will no longer be true in the future.

OVERVIEW OF HIPAA ENFORCEMENT

Healthcare providers required to comply with HIPAA, a federal statute, are subject to enforcement actions for violations of the Privacy Rule¹ and the Security Rule,² federal regulations enacted under the HIPAA statute. The Office for Civil Rights (OCR), an agency within the Department of Health and Human Services, is responsible for civil enforcement of the Privacy Rule and the Security Rule. OCR can impose civil monetary penalties on covered entities up to $50,000 or more per violation, with an annual cap of $1.5 million for identical violations. The Department of Justice (DOJ) is responsible for the investigation and prosecution of criminal violations of the HIPAA regulations. Under HIPAA, the maximum criminal penalties are $250,000 and 10 years imprisonment.

New HIPAA rules: Make sure you are in compliance because your liability has increased

Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).

In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.

For primary care and other physicians in private practice, compliance will mean:

conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;
reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;
ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);
modifying the practice’s electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;
having the ability to send patients their health information in an electronic format;
reviewing your contracts with any vendors that have access to your practice’s PHI; and
updating your practice’s notice of privacy practices.

Other provisions

Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.

The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunization records to schools without obtaining formal authorization from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.

The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.

The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. Among other provisions, the HITECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalized the rules with adoption of the omnibus rule.

Growth in EHRs drive changes

Driving many of the changes in the omnibus rule is the proliferation of EHRs and the accompanying digitization of patient information, says Jeffrey J. Cain, MD, FAAFP, president of the American Academy of Family Physicians (AAFP).

“The [original] HIPAA legislation is 15 years old now and was enacted at a time when EHRs were nothing more than a gleam in Microsoft’s eye, but now everyone’s using them, and the rules were seen to be in need of tightening up,” he says.

Angela Dinh Rose, director of health information management excellence for the American Health Information Management Association, says, “HITECH was a huge factor in pushing the adoption of health information technology, so along with that, Congress saw the need for improved privacy and security practices to protect patient information now that so much of it is becoming electronic.”

According to a study of breaches reported on the HHS Web site by Kaufman Rossin & Co., an accounting and consulting firm based in Miami, Florida, the number of individuals affected by data breaches doubled from 2010 to 2011, even though the number of entities involved in a breach declined (see “Summary of health breach information reported to HHS, 2010 to 2011,” below). The largest cause of breaches was theft (53%), followed by unauthorized access (20%) and loss (14%).

New rules for data breaches

The changes likely to have the greatest effect on medical practices are those concerning how PHI should be secured and kept private and what practices must do in case of a breach—meaning the PHI is lost, stolen, or otherwise made available to someone who should not have it. Why? Whereas before the omnibus rule, breaches only had to be reported if they involved a “significant risk of harm,” now the presumption is that virtually any unauthorized disclosure of PHI may be a breach, unless the practice can demonstrate a low probability that the information has been compromised, explains Kenneth Rashbaum, JD, a health law attorney with Rashbaum Associates in New York, New York.

“These changes are a big deal because the standard [of what constitutes a reportable breach] is much lower, and as a result there’s now a presumption of harm to the patient by virtue of the breah by the entity that made the disclosures,” Rashbaum says.

Given the new standard, the most important action practices can take to protect themselves against penalties, experts emphasize, is to encrypt patient data, both within the practice itself and when they are taken outside the practice in a laptop computer, smartphone, or other portable device. Why? “In the [omnibus] rule now, they’re defining a breach as the loss of unsecured PHI,” explains Juli A. Ochs, CPA, healthcare engagement director for the consulting and accounting firm CliftonLarsonAllen LLP. “So anything that renders the data ‘unusable, unreadable, or undecipherable’ is now not considered a breach.” (See “Encrypting your patient’s health information” below for suggestions on how to encrypt data in a way that meets HHS requirements.)

Determining risk of harm

Whenever a breach does occur, it is presumed to be reportable to HHS unless the practice can demonstrate a low risk of probability that the PHI will be compromised, meaning that anyone will be harmed as a result. Demonstrating the risk contains four components:

The nature and extent of the data involved. “Was the information just a list of patients? Did it include identifying data like Social Security numbers or other financial information? Were there intimate medical or psychotherapy records? Those are the types of questions that need to be asked,” says Aldo Leiva, JD, a data security and privacy attorney in Coral Gables, Florida.
The unauthorized person who used the PHI or to whom it was disclosed (something you can’t know if the breach resulted from a device being lost or stolen).
Whether the PHI was actually acquired or viewed.
The extent to which the risk has been mitigated after the fact. An example, Leiva says, might be having a contractor to whom the PHI accidentally was sent sign a non-disclosure agreement.

In addition, the rule requires practices to notify patients whose PHI has been breached within 60 days of discovery of the breach. If the breach affects more than 500 patients, then HHS and the local news media must be notified within the same 60-day timeframe. Practices must keep a log of all breaches regardless of the number of patients affected, and they must submit the log annually to HHS.

Another requirement of the rule is that practices and other covered entities conduct a risk analysis. The purpose of the exercise is to discover where the practice might be vulnerable to having its patient information lost or stolen—through theft of a laptop computer on which data are stored, for example—and putting in place policies and procedures to reduce those vulnerabilities.

“People get overwhelmed by this, because they think it needs to be a formal process,” Ochs says, “but it can be just everyone in the practice sitting down to talk about where are we vulnerable, assessing the risk of each vulnerability, deciding how to address it, and then documenting that they’ve gone through the process.”

In addition, practices should appoint a privacy and security officer with the responsibility for making sure the practice has policies and procedures for complying with the rules and that staff members are trained in them. Practices can—and often do—assign the responsibilities to a current employee rather than hire someone new, Ochs says. “The main thing is just that it’s assigned,” she adds.

Violators of the privacy and security rules will be fined in amounts ranging from $100 to $50,000 per violation (see “HIPAA rule violation categories and penalty amounts”). The maximum a practice or other covered entity can be fined in a year is $1.5 million.

Relations with business associates

After changes to the PHI security and breach notification rules, the omnibus rule changes of greatest interest to practices are those affecting their relationships with “business associates,” vendors that have access to a practice’s PHI. Such vendors are now directly responsible to HHS for securing and guarding the privacy of PHI in the same way that practices are, and they are subject to the same penalties.

“Before [the omnibus rule], physicians and medical organizations might be protecting patient data the way they were supposed to, but their third-party providers were not obligated except under the terms of their contract with the providers,” notes Jorge Rey, CISA, CISM, director of security and compliance for Kaufman, Rossin & Co. “Now the rules say that if you have access to patient healthcare-related information, you need to comply with all the privacy requirements.” The rule also puts subcontractors to practice vendors under HHS jurisdiction.

The increased responsibility of business associates does not let doctors off the hook entirely. That’s because even if the business associate loses PHI or has it stolen, the medical practice ultimately is responsible for notifying affected patients and reporting the breach to HHS.

Leiva notes that many health information technology (HIT) vendors and consultants include boilerplate language in their contracts absolving them from liability for data loss. Consequently, he advises reviewing all contracts with HIT vendors to ensure that their wording conforms with the omnibus rules governing relations between covered entities and their business associates. (A sample business associate agreement is available from the government at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contr…)

Greater patient control

The third part of the omnibus rule affecting doctors’ practices concerns patients’ rights related to their own health information.

The rules gives patients the right to:

obtain copies of their health information in an electronic format within 30 days of requesting it, with one 30-day extension permitted, and
instruct his or her doctor not to share information about a test or treatment for which the patient has paid out-of-pocket with his or her insurance company.

In addition, the rule requires practices to update their notice-of-privacy practices (NPPs) to reflect the changes to patients’ rights included in the omnibus rule and requires sending the updated NPP to all patients and posting it prominently in the practice and on the practice’s Web site.

Complying with the changes likely will be challenging for doctors due to the limitations of EHR systems. “EHRs were designed so that you could share information easily between healthcare providers and insurance providers,” notes the AAFP’s Cain. “Now we have this law saying that if a patient pays cash, the condition won’t be revealed to insurance providers, which is problematic for the way most EHRs are built.”

The design of EHRs also makes it difficult to share information with individuals who don’t have EHRs, Cain notes. “That’s going to be a problem and something the vendors will have to help us with,” he says.

In the meantime, possible alternatives include joining a private health information exchange network or a one of the regional or statewide networks many states are establishing. Regional extension centers and state and local medical societies are good sources of information about health information exchange networks.

Doctors should ask their EHR vendors about a timetable for implementing a function that allows them to meet the requirement by the September 23 deadline, advises Lisa Gallagher, CISM, vice president of technology solutions for the Healthcare Information and Management Systems Society. If a vendor won’t be ready to provide such a feature, then the practice will have to still find a way to meet the requirement, maybe through a different way of recording the patient’s data until the function is available, Gallagher says.

“Sometimes regulatory requirements are misaligned,” she adds. “What’s happened here is the requirement for the provider to do something, and the requirement hasn’t made its way down to the vendor. But the important thing for everyone to realize is that HHS has said this requirement is going into effect and you have to meet it.”

Cain says that most AAFP members understand the need to provide patients with greater control over who can see their information and the need to guard confidentiality generally. Nevertheless, “it does add another layer of administrative complexity to managing an office practice,” he says.

“All the rules are well-intentioned, but they may interact in ways that aren’t understood when they are developed,” Cain adds. “The law of unintended consequences is challenging for office-based physicians.”

What would you like to know about HIPAA? Post your questions to our Facebook page at www.facebook.com/MedicalEconomics or email us at medec@advanstar.com. We’ll present answers in future articles.

HIPAA rule violation categories and penalty amounts

The Health Insurance Portability and Accountability Act omnibus rule establishes four “tiers” of violations, based on what it terms “increasing levels of culpability,” with a rage of fines for each tier.

Violations of the same requirement or prohibition for any of the categories are limited to $1.5 million per calendar year.

The language of the rule states that actual dollar amounts will be based on “the nature and extent of the violation, the nature and extent of the resulting harm, and other factors…includ[ing] both the financial condition and size of the covered entity or business associate.”

	Robert Smith on To understand AI advancements…
	Sarah Francoise on ISO 14001 internal audit
	ilonapulianauskaite on The FDA Drug Development …
	globalriskinvestigat… on How is Risk Management Importa…
	globalriskinvestigat… on Benefits of Risk Management in…