Thanks for printing!  Don't forget to come back to Healthcare Compliance Pros for fresh articles!

The Compliance INSIDER

Accessing and Disclosing Information- Are You Adhering to the Minimum Necessary Standard?

When our team of experts here at HCP are offsite visiting healthcare facilities they are often asked questions by clients about how they can ensure their employees are adhering to the minimum necessary standards when accessing and disclosing...

Click Here to Continue Reading!

HIPAA Privacy Rule – Understanding Health Oversight Disclosures

HIPAA Privacy Rule – Understanding Health Oversight Disclosures At Healthcare Compliance Pros, we occasionally receive questions about disclosures for health oversight purposes. Health oversight can include disclosures for a variety of...

Click Here to Continue Reading!

Understanding the Importance of Medical Decision Making

The Centers for Medicare & Medicaid Services (CMS) have been voicing their concerns and seeking public comments regarding the current evaluation and management (E/M) documentation guidelines. CMS understands that the current guidelines are...

Click Here to Continue Reading!

2018 Promoting Interoperability Facts

In 2017, most healthcare organizations were very familiar with the Advancing Care Information (ACI) category under the Merit-based Incentive Payment System (MIPS). And we became very familiar with the ACI acronym. Fast forward to 2018. CMS has...

Click Here to Continue Reading!

What Happened with Johnny Athlete!?

We shared the following scenario in one of our recent presentations.  As you read the following scenario, think about the following questions: Have you ever experienced some of the issues mentioned in the scenario? What policies and...

Click Here to Continue Reading!

OCR Director Offers Clues About Potential Changes to HIPAA

Potential HIPAA Updates: During the recent HIPAA Summit, the Director of U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announce three potential HIPAA updates. Prior to making any changes, OCR is planning on...

Click Here to Continue Reading!

If a Business Closes, Are You Still Subject to HIPAA Rules?

In a recent settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), a receiver appointed to liquidate the assets of Filefax, Inc. agreed to pay $100,000 for potential violations of the HIPAA Privacy...

Click Here to Continue Reading!

5 Best Practices for your Security Risk Analysis

We are occasionally asked questions about the security risk analysis (SRA) process.  Why can't we use a checklist we found on the internet? Why do we need an action plan? Shouldn't any areas that need improvement be addressed...

Click Here to Continue Reading!

$3.5 Million Settlement for Failure to Follow HIPAA Requirements

Failure to perform a Security Risk Analysis and adopt a comprehensive corrective action plan resulted in a covered entity agreeing to pay $3.5 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)....

Click Here to Continue Reading!

"Ouch!" What to do in the Event of a Needle-stick

"Ouch!" What to do in the Event of a Needle-stick "Ouch!" could be heard coming from the exam room.   A medical assistant accidentally stuck herself with a needle after performing a blood draw.   When...

Click Here to Continue Reading!

A Breach Can Be Good Medicine

Are you among the lucky healthcare providers who have never experienced a "Breach" of Protected Health Information (PHI)?  You have run such a tight ship that a "Breach" has never occurred and that makes you feel relaxed...

Click Here to Continue Reading!

Posting with Caution: The DO's and DON'Ts of Social Media and HIPAA Compliance

Social media is used by 74% of Internet users and 80% of people using social media actually use it to research doctors, hospitals, and medical news and information. Social Media can be an extremely powerful tool for communicating general...

Click Here to Continue Reading!

Policies and Procedures: Critical for Healthcare Organizations

In the healthcare industry, written and implemented policies and procedures should help an organization and its employees make decisions, take the appropriate action, and ensure activities are in compliance with laws. Policies and procedures are...

Click Here to Continue Reading!

Have You Completed Your 2017 SRA?

It's that time of year again. The weather is turning cold, the holidays are right around the corner and before you know it, we're going to be ringing in a new year. This also means you only have a few short weeks to complete your Security...

Click Here to Continue Reading!

Clean Out Your Refrigerator and Perform a Walkthrough

Did you know that November 15th is National Clean out Your Refrigerator Day? If a task such as cleaning out the refrigerator deserves a special day, what about a task such as performing a HIPAA walkthrough?  With 2018 less than a month away,...

Click Here to Continue Reading!

How to Safely Use Social Media in Your Practice

So far in this series, we've concentrated on the "do nots" and potential dangers of social media. But with Facebook boasting more than 1.8 billion monthly users and Twitter having upwards of 300 million active users, it would be a...

Click Here to Continue Reading!

CMS Announces MIPS Milestone

According to the CMS announcement, it is not too late to participate in the first year – the transition year – of the Merit-Based Incentive Payment System (MIPS). With their announcement CMS appears to be giving a hint that the best...

Click Here to Continue Reading!

Be Prepared: In the Event of a Hurricane or other Adverse Weather Conditions

Following Governor Rick Scott's State of Emergency Declaration, I anxiously watched the news and tracked Hurricane Irma's progress. I wondered if there was a chance Hurricane Irma would turn harmlessly to sea. Once it was evident our...

Click Here to Continue Reading!

Hurricane Harvey & Irma's Impact on Certain Provisions of the HIPAA Privacy Rule

The HHS Office of Civil Rights (OCR) recently announced that Secretary Tom Price, M.D., declared a public health emergency in Texas, Louisiana, and Florida and has exercised the authority to waive sanctions and penalties against a Texas,...

Click Here to Continue Reading!

Guidance on Privacy Rule and Mental Health Information

According to the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) guidance on HIPAA Privacy Rule and Sharing Information Related to Mental Health, there are times when it is appropriate for a health care provider to...

Click Here to Continue Reading!

Asking for Date of Birth at the Front Desk?

Compliance Q&A:  Can we ask a patient their date of birth at the front desk while checking them in? Law:  The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it...

Click Here to Continue Reading!

First Settlement Involving a Wireless Health Services Provider is a Big One!

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), recently announced the first HIPAA settlement involving a wireless health services provider, is a big one. The wireless services provider agreed to the settlement by...

Click Here to Continue Reading!

The HIPAA Dilemma: With All There Is To Do…..What Should I Do?

There are just a few requirements in the statutes, like too many to count along with various interpretations and opinions.  The Federal Government is famous for many things, but specificity is not one of them.  So maybe you got the...

Click Here to Continue Reading!

NICS Disclosures Final Rule Nullified

Just last year, HHS issued a final rule modifying the HIPAA Privacy Rule to expressly permit certain, but not all, HIPAA covered entities to disclose the identities of individuals who are subject to a federal mental health...

Click Here to Continue Reading!

Failure to Comply with HIPAA Rules Results in Costly Civil Monetary Penalty

Imagine your practice filed a breach report with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) – a few years ago – regarding the loss of a smartphone that contained unsecured electronic protected...

Click Here to Continue Reading!

Top 5 Reasons Why Healthcare Organizations Are Not HIPAA Compliant

Given that HIPAA was first enacted in 1996, healthcare professionals have had 21 years to perfectly design, implement, and execute compliance plans.  However, the reality for most organizations is that HIPAA compliance is still a work in...

Click Here to Continue Reading!

HHS Guidance on HIPAA, Same-sex Marriage and Patients' Loved Ones

The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) recently published "Guidance on HIPAA, Same-sex Marriage, and Sharing Information with Patients' Loved Ones." The new FAQ OCR issued was developed in...

Click Here to Continue Reading!

First HIPAA settlement based on untimely reporting involved hard copy PHI

Occasionally we answer questions regarding what constitutes a reportable breach. Questions such as: Isn't it only a reportable breach if the incident involves electronic protected health information (ePHI)? What about paper? Should these...

Click Here to Continue Reading!

Breach Notification Deadline is Just Around the Corner

The deadline for submitting notice of a breach affecting fewer than 500 individuals is just around the corner. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of...

Click Here to Continue Reading!

Assess Your HIPAA Security Risk Analysis Knowledge

Answer the three questions below to assess your knowledge about HIPAA Security Risk Analysis. The answers to the questions are listed in three short paragraphs following the true or false assessment. True or False:  My EHR vendor already...

Click Here to Continue Reading!

Largest Settlement to Date Demonstrates Importance of Compliance

Last year, we saw one of the largest settlements to date. As a result of the settlement, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) reiterated the importance of compliance with HIPAA Security Rule...

Click Here to Continue Reading!

Malware Infection Results in a $650,000 Settlement

Just recently it was announced that a potential HIPAA Privacy Rule and Security Rules violation lead a major organization to pay a sustainable fee, $650,000. The breach was reported to the U.S. Department of Health and Human Service (HHS), Office...

Click Here to Continue Reading!

Can We Release Records to the Parents of a Deceased Adult patient?

Imagine you work for a practice and you receive a request for medical records from the parents of an adult patient who died.  The patient (their son) did not have a power of attorney assigned.  Under HIPAA are you permitted to release...

Click Here to Continue Reading!

MACRA Final Rule Published Sooner Than Expected

Some experts believed the Final Rule of the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) would be published on or about November 1st, 2016, while others expected the MACRA rule to be slightly delayed. The Department of Health &...

Click Here to Continue Reading!

The importance of a Security Risk Analysis and Corrective Action Plan

Conducting and reviewing a security risk analysis (SRA) is perhaps one of the most important HIPAA requirements and Meaningful Use requirements your organization will undertake.  An SRA is an ongoing process of continual improvements your...

Click Here to Continue Reading!

Important Notice: OCR has sent out emails to 167 selected entities

According to a July 12, 2016 OCR announcement, the Phase Two of OCR's HIPAA audit program, "has officially kicked into high gear."  If you were a covered entity selected for the desk audit portion of the audit program, you...

Click Here to Continue Reading!

Is Painkiller Education on the Horizon?

It was recently reported that toxicology tests for Prince concluded that the entertainer died from an accidental overdose of the opioid fentanyl, according to a report on his death by the Midwest Medical Examiner's Office. High profile...

Click Here to Continue Reading!

Phase 2 of the OCR Audit Program – It's underway and you Might be on the list…

As promised, Phase 2 of OCR's audit program is underway.  If you receive a request from OCR to verify contact information, a request to complete a screening questionnaire, or are actually selected for the audit, a timely response is...

Click Here to Continue Reading!

HIPAA poem

Once a breach has been discovered and defined Here are steps you should take to help to ease your mind. The breach must now be "logged" just right If you want to sleep at night. It's not really all that complicated It requires a...

Click Here to Continue Reading!

$750,000 Settlement for failing to execute a HIPAA Business Associate Agreement

The HHS Office for Civil Rights (OCR) recently announced that Raleigh Orthopaedic Clinic, P.A. (Raleigh Orthopaedic) of North Carolina has agreed to pay a settlement of $750,000 to settle potential HIPAA Privacy Rule violations.  Raleigh...

Click Here to Continue Reading!

OIG Update Demonstrates Importance of Checking for Excluded Individuals

Recently, the Office of Inspector General (OIG) updated the policy statement regarding non-binding criteria to be used when assessing whether to impose exclusion from Federal healthcare programs.  In addition, the OIG introduced a "Risk...

Click Here to Continue Reading!

Beware of Wolves in Sheep's clothing: Don't share your online presence!

Should I provide a list of my usernames, passwords and websites I visit? Imagine you receive an email asking you to please share your usernames, passwords and sites you frequently visit.   The email includes a list that appears to be...

Click Here to Continue Reading!

A HIPAA Poem

If you are stricken, terrified, and think you have a BREACH Here's a little guideline.  Just keep it within reach Wherever information went, WAS IT PHI? If it was, you have a BREACH, but do not start to cry. Here's a second question,...

Click Here to Continue Reading!

Help! We've experienced a breach! What Next?

Just recently, Feinstein Institute for Medical Research agreed to a settlement in the amount of $3.9 million dollars, and to undertake a substantial corrective action plan to bring operations into compliance. The cause of the breach was a stolen...

Click Here to Continue Reading!

California Hospitals Hacked and Ransom Demanded

Just recently, two Southern California hospitals were attacked by hackers who infiltrated their computer systems with ransomware and demanded payment to unlock the data.  According to the report, Chino Valley Medical Center in Chino and...

Click Here to Continue Reading!

CMS Acting Administrator Provides EHR Incentive Programs update

Recently, Andy Slavitt, Acting Administrator, Centers for Medicare and Medicaid Services (CMS) and Dr. Karen DeSalvo, the Acting Assistant Secretary for Health in the U.S. Department of Health and Human Services (HHS) published an important...

Click Here to Continue Reading!

Breach Notification Deadline is Just Around the Corner

The deadline for submitting notice of a breach affecting fewer than 500 individuals is just around the corner.  If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the...

Click Here to Continue Reading!

Will you be prepared for 2016 HIPAA Audits?  

This year, the Office for Civil Rights (OCR) has an increase in their budget to support their audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to the OCR, the audit program...

Click Here to Continue Reading!

Entities Subject to NICS Disclosures under the Final Rule

Because we are expecting further clarification from HHS regarding this modification to the final rule to be released,  this initial summary will only focus on facts taken from the final rule regarding "Entities Subject to the...

Click Here to Continue Reading!

Digital Dark Matter Black Holes in Health Information Storage

In astronomy terms, the exact nature of dark matter is not well understood, but it may be largely composed of varieties of particles that have not yet been discovered, in addition to missing mass.  Astronomers estimate dark matter makes up...

Click Here to Continue Reading!

$850,000, HIPAA Settlement Demonstrates Importance of Medical Device Safeguards

HHS recently announced that Lahey Hospital and Medical Center (Lahey) has agreed to pay $850,000 and will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program. According to the HHS announcement, Lahey...

Click Here to Continue Reading!

OIG Alert: Information Blocking and Federal Anti-Kickback Statute

The Office of Inspector General (OIG) recently issued an "OIG Policy Reminder" regarding Information Blocking and the Federal Anti-Kickback Statute.  Specifically, the reminder is intended to remind us how "information...

Click Here to Continue Reading!

Cybersecurity Awareness

As healthcare professionals, it's a good time to take a closer look at our cybersecurity practices as they relate to protected health information (PHI).  Are we doing all we can do to safeguard electronic protected health information...

Click Here to Continue Reading!

Modified Stage 2 Meaningful Use Overview

MS recently announced modifications to the EHR Incentive Programs in 2015 through 2017 (Modified Stage 2). Modifications include changes to the objectives and measures of Stage 1 and Stage 2 to align with Stage 3 Meaningful Use. Starting in 2015,...

Click Here to Continue Reading!

Question regarding Business Associate Agreements

We were recently asked a question by one of our clients regarding their Business Associate Agreements (BAAs). Below is the question we were asked and our response. Question Does your BAA conform to all updates to the law? Are we in compliance...

Click Here to Continue Reading!

HHS settlement demonstrates importance of risk analysis

For some healthcare providers and organizations there is an "it won't happen to me" belief that gives them a false sense of security.  Completing a risk analysis is something that generally isn't a priority for these...

Click Here to Continue Reading!

NIST releases How to Guide for securing electronic health records on Mobile Devices

Just last week, the National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE)  released a draft guide that demonstrates how health care providers can make mobile devices, such as...

Click Here to Continue Reading!

UCLA and CVS two of the latest victims of cyber-attacks

The medical industry is historically one sector of industry that has benefited most from the introduction of technology. But what is the downside – what about cyber-attacks? No matter what kind of attack, it is important to acknowledge that...

Click Here to Continue Reading!

Lessons Learned Article Series – Breaches Risks Outages Part 2

#LessonsLearned Article Series: Breaches and Risks and Outages, Oh My! In part one of the article series we discussed electronic communications, including the use of third party email providers such as Google and Hotmail. In this second and final...

Click Here to Continue Reading!

Mind your P's and Q's and follow P and P's

There are several different theories as to the origin of the phrase Mind Your P's And Q's. One explanation suggests that this phrase would be used by parents to educate their children to not forget to use those polite words when they...

Click Here to Continue Reading!

ONC Releases June 2015 Data Brief

The June 2015 Office of the National Coordinator (ONC) for Health Information Technology Data Brief marks the 27th time such a brief has been published by ONC. We thoroughly reviewed the data brief and want to share two important pieces of...

Click Here to Continue Reading!

Smile! You're on Candid Camera… Texting Messages and Photos in Patient Care

Over 80% of providers surveyed by the Ponemon Institute admit that they text patient health information insecurely from their mobile devices. Providers report that texting is felt to be more efficient than any other electronic communication...

Click Here to Continue Reading!

Part 5: 3 Best Practices to ensure the Privacy and Security of PHI

Whether you are an administrator of a large healthcare organization, a medical assistant of a small medical practice, or a healthcare provider working out of multiple locations; under HIPAA, we all have a responsibility to ensure the privacy and...

Click Here to Continue Reading!

Part 4: HIPAA Provides the Framework and We must act to prevent a Cyber-Attack

It was recently reported that cyber-attacks against doctors and hospitals are on the rise. These cyber-attacks are costly at over $6 billion per year for the U.S. healthcare industry. According to a report by the Ponemon Institute: In just five...

Click Here to Continue Reading!

Part 3: Mobile Device(s) Policy and Procedures

Imagine you are a compliance officer for an average size medical practice. Recently, your practice has transitioned to a cloud-based electronic health record (EHR) platform. The medical providers are happy for the ease of access from mobile...

Click Here to Continue Reading!

Part 2: Permissible Disclosures under the HIPAA Privacy Rule

Part 2: Permissible Disclosures under the HIPAA Privacy Rule Last week, in the first part of our multi-part HIPAA article series, we said that under the Privacy Rule policies and procedures must be in place to ensure that patient health...

Click Here to Continue Reading!

Clearing up the Confusion: A Multi-Part HIPAA Series

by: Chad Schiffman, MHA, MSHI @Chad_HCA Last week while attending a conference I was asked about my responsibilities as a Compliance Specialist Manager.  I briefly provided an overview, and discussed how keeping up-to-date with rules and...

Click Here to Continue Reading!

We now offer Payment Card Industry (PCI) Security Awareness Training

We were recently asked if we provide Payment Card Industry (PCI) Security Awareness Training.  In response to this request, we are excited to announce Healthcare Compliance Pros has launched our Payment Card Industry (PCI) Security Awareness...

Click Here to Continue Reading!

Question about an employee who is also a patient of the practice

Recently a question was asked about an employee who is also a patient of the practice: Under HIPAA, what is the obligation of an upper level administrative employee to report their medical condition to their employer?   If the employee...

Click Here to Continue Reading!

Proposed Stage 3 Meaningful Use Rules announced by HHS

Interoperability of EHRs is a major focus of Stage 3 meaningful use and the 2015 Edition Health IT Certification Criteria.  "The flow of information is fundamental to achieving a health system that delivers better care, smarter...

Click Here to Continue Reading!

Are you prepared for a Meaningful Use Audit?

CMS and the Office of Inspector General (OIG) have taken steps to audit how providers are meeting meaningful use requirements. Approximately 5 to 10 percent of all meaningful use participants are being audited; however, this number may rise. CMS...

Click Here to Continue Reading!

Security Risk Analysis is important for HIPAA and Meaningful Use

Conducting and reviewing a security risk analysis (SRA) is perhaps one of the most important HIPAA and Meaningful Use requirements your organization will undertake. A SRA is an ongoing process of continual improvements your organization should...

Click Here to Continue Reading!

Breach Notification Requirements – Questions and Answers

The deadline for submitting notice of a breach affecting fewer than 500 individuals is less than one month away. If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary...

Click Here to Continue Reading!

5 Compliance Tips for 2015 and beyond

Understandably, the first of the year presents its fair share of challenges for health care professionals and organizations.  For many of us, especially during the first of the year, it is easier to keep tabs on our day-to-day duties, and...

Click Here to Continue Reading!

Proposed National Standard for Data Breach Notification

Will the Personal Data Notification and Protection Act impact current breach notification requirements? President Obama is calling for a national standard for data breach notification. The proposed standard will require notification to customers...

Click Here to Continue Reading!

Health IT Plan focuses on better sharing through interoperability

Last week, the U.S. Department of Health and Human Services' Office of the National Coordinator for Health Information Technology (ONC) issued the Federal IT Strategic Plan 2015-2020. The Strategic Plan is currently open for a 60 day comment...

Click Here to Continue Reading!

Data brief reveals top reasons for EHR adoption

A data brief released by the Office of the National Coordinator for Health IT (ONC) revealed the top reasons for EHR adoption. The need to share patient information with other providers and the use of financial incentives are the top reasons many...

Click Here to Continue Reading!

New and Improved Business Associate Agreement

Since the HIPAA Omnibus Rule came out last year, there has been much discussion about the relationship and responsibility of each party between covered entities and business associates. Due to this, we have recently made some additions and...

Click Here to Continue Reading!

Question about Notice of Privacy Practices and Research Studies

Recently we were asked a question about Notice of Privacy Practices (NPP) and notification requirements for a third party who may administer research studies. The following is our response to the question asked by a client in Kansas: Two of the...

Click Here to Continue Reading!

Clean out Your Refrigerator and perform a Walkthrough

Did you know that November 15th is National Clean Out Your Refrigerator Day? Did you know that National Clean Out Your Refrigerator Day was created to encourage people to clean out their refrigerator in advance of the upcoming holidays? It is...

Click Here to Continue Reading!

Compliance Question of the Week

You have a practice that is wondering if they send email internally (Physician to PA) containing only the patient's medical record number, if that is acceptable under HIPAA? Healthcare Compliance Pros Response: Under the HIPAA Privacy Rule,...

Click Here to Continue Reading!

Question about Compliance Requirements for Genetic Testing

This week we were asked a question about compliance requirements for genetic testing. The following is our response to the question asked by Marilyn T. in Alaska: What are the compliance requirements for genetic testing?  When is consent...

Click Here to Continue Reading!

October is National Cyber Security Awareness Month

For over ten years, October has been recognized in the United States as National Cyber Security Awareness Month (NCSAM). October is a month dedicated to doing our part to ensure the safety and security of information while online. As healthcare...

Click Here to Continue Reading!

Reminder: Privacy and Oral Communications

Oral communications at your practice are extremely important but are often overlooked and forgotten.  This can be a confusing issue and needs serious attention. The Privacy Rule applies to individually identifiable health information in all...

Click Here to Continue Reading!

4.5 Million Records Stolen in Hospital Network Breach

On Monday, it was reported that Community Health Systems, which operates 206 hospitals across the United States, had a data breach that affected an estimated 4.5 million patients. According to the statement filed by Community Health Systems, the...

Click Here to Continue Reading!

Safeguarding Confidential Information is not just a HIPAA Obligation

Throughout your career you may be asked questions about your job duties and about the organization you work for. Think about conversations you may have outside the workplace such as a conversation over lunch with friends from an organization...

Click Here to Continue Reading!

Patient's Right of Access

This week we had a question submitted to us asking about the patient's right to access their medical records. A patient contacted their medical provider asking for a recording of a conversation that took place between a nurse and a State...

Click Here to Continue Reading!

Weekly Tip – Notice of Privacy Practices

What if a patient refuses to sign the Notice of Privacy Practices? If a patient refuses to sign the Notice of Privacy Practices acknowledgment, the provider must document they failed to get the acknowledgement signed by the patient. The Notice...

Click Here to Continue Reading!

Weekly Tip – Breach

What is a Breach? By definition a breach is the acquisition, access use or disclosure of protected health information (PHI) in a manner not permitted, and compromises the security of the protected health information. Examples of a breach...

Click Here to Continue Reading!

Is It Time To Change Your Password?

It is a common practice for new users to be assigned a simple, easy-to-remember password at the time of employment, or when a user is assigned a new application.  For example, a new user may be assigned a default password, such as...

Click Here to Continue Reading!

Is a Business Associate Agreement Necessary?

Recently, we have received some questions regarding business associate agreements and whether an agreement is necessary. First off, a business associate is not considered a part of the covered entity's workforce. A business associate is a...

Click Here to Continue Reading!

Another Costly Breach Results in $4.8 Million HIPAA Settlements

Imagine you are surfing the internet when you stumble across your protected health information, or the protected health information of a loved one.  You wonder, shouldn't health information be protected? How could the information be...

Click Here to Continue Reading!

A HIPAA Question – Addressable and Required Implementation Standards

We are finding that many of our subscribers including both covered entities and business associates have questions regarding the difference between "Required" and "Addressable" HIPAA Security Final Rule Standards.  The...

Click Here to Continue Reading!

HIPAA Settlements Due to Stolen Unencrypted Laptops

Imagine you have left your laptop unattended in your car while you quickly run into the grocery store. As you come back out with groceries, you notice your window is smashed, and the laptop has been stolen. Is the information on your laptop...

Click Here to Continue Reading!

ICD-10 Delay Provides More Time for Compliance

The signing of the H.R. 4302 bill, which includes the provision to delay ICD-10 for one year, has received mixed responses from healthcare professionals.  It's understandable considering the amount of time, energy and resources that have...

Click Here to Continue Reading!

Beyond the Bring Your Own Device Policy: Planning and Launching a Secure BYOD System

The use of mobile devices, cell phones, smart phones and tablets has become commonplace within the medical field workplace. Because of the trend to implement Bring your Own Device (BYOD) programs in the workplace, and the concern for continued...

Click Here to Continue Reading!

Breaches and Risks and Outages, Oh My!

In part one of the article series we discussed electronic communications, including the use of third party email providers such as Google and Hotmail. In this second and final part of our series, we will address what steps should be taken when an...

Click Here to Continue Reading!

The HIPAA Privacy Rule: Patients Access to Test Reports

Beginning April 7, 2014 patients and / or their personal representatives will have greater access to their test results. Covered entities will have until October 6, 2014 to comply with this final rule, which amends the current CLIA regulations of...

Click Here to Continue Reading!

Working with OCR Investigators

Ask HIPAA Privacy and Security officers what they dread most and an OCR investigation will be high on their list. The thought of being investigated by a federal agency can be scary for healthcare organizations, said ­Heather Noonan, senior...

Click Here to Continue Reading!

Proxy Access to EHRS

A federal advisory panel is seeking feedback as it prepares to evaluate security and privacy policy recommendations for patient representatives authorized to view, download and transmit electronic health records on behalf of patients. The...

Click Here to Continue Reading!

Health Data Breach Tally Tops 800

More than 70 incidents have been added in the last month to the Department of Health and Human Services' wall of shame website listing health data breaches affecting 500 or more individuals – far more than in any other recent...

Click Here to Continue Reading!

How the "Telephone Communication Protection Act" Could Cost Your Practice

As of October 16, 2013, the Federal Communications Commission began enforcing the federal Telephone Communication Protection Act (TCPA).  The purpose of the TCPA is to protect consumers from the nuisance of receiving unsolicited robocalls to...

Click Here to Continue Reading!

OIG Reports EHR Fraud Detection Inadequate

According to a report released this month by the Department of Health and Human Services' Office of Inspector General, The Centers for Medicare and Medicaid Services and many of its contractors need to adopt better practices to...

Click Here to Continue Reading!

Stolen Thumb Drive Leads to $150,000 HIPAA Penalty

Another federal investigation of a relatively small breach has resulted in a financial penalty, this time for a physician group practice in Concord, Mass. On Dec. 26, the Department of Health and Human Services' Office for Civil...

Click Here to Continue Reading!

HIPAA May Become Involved in Gun Control

As part of President Obama's continuing efforts to reduce gun violence, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to remove unnecessary legal barriers under the Health Insurance...

Click Here to Continue Reading!

Theft of Unencrypted Laptops

A recent theft of two unencrypted laptop computers that were cable-locked to employee workstations at the headquarters of Horizon Blue Cross Blue Shield of New Jersey has resulted in a breach that potentially affected nearly...

Click Here to Continue Reading!

HITECH Stage 2 EHR Incentive Extension

Federal regulators plan to extend Stage 2 of the HITECH Act electronic health record incentive program one year, giving healthcare providers and EHR software vendors more time to comply with requirements that include a variety of privacy and...

Click Here to Continue Reading!

Patient May Request an Accounting

Are you remembering to account for the disclosures of PHI? Even though this is a basic patient right under HIPAA, some healthcare providers are still not compliant with this part of the Privacy Rule. Under HIPAA Privacy and as outlined on your...

Click Here to Continue Reading!

Revised Accounting of Disclosures Rule

A federal advisory panel will recommend that the Department of Health and Human Services take an incremental approach to implementing a revised HIPAA Accounting of Disclosures rule. At its recent meeting, the Privacy and Security Tiger...

Click Here to Continue Reading!

Preparing Your Practice for a Disaster

Developing a disaster plan for your office is a must in today's world.  If a natural disaster happened and your office was shut down and wiped out your records, would you know how to piece your office back together?  Probably...

Click Here to Continue Reading!

The Security Risk Analysis: An Essential Step Towards HIPAA Compliance

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the...

Click Here to Continue Reading!

HIPAA Audits Need Documentation

Keeping risk assessment documentation and other compliance evidence in a centralized repository is a good way to prepare for any HIPAA audit or investigation. Office for Civil Rights (OCR) officials have said a permanent HIPAA security audit...

Click Here to Continue Reading!

Veteran's Administration Privacy Breaches

Veteran's Administration (VA) employees or contractors are responsible for 14,215 HIPAA privacy violations at 167 facilities from 2010 to May 31, 2013. The violations affected at least 101,018 veterans and 551 VA employees. Reporters...

Click Here to Continue Reading!

Proposed New Disclosure Rule

At an online hearing Sept. 30, federal advisers heard concerns from healthcare providers, electronic health records system vendors and others about the cost and impracticality of a proposal to require giving patients an access report listing all...

Click Here to Continue Reading!

HIPAA and the Government Shutdown

At the heart of the federal budget stalemate in Washington is the effort to pull the plug on Obamacare. The resulting partial government shutdown is derailing other important healthcare efforts that not only impact patients' data security...

Click Here to Continue Reading!

More HIPAA Audits for 2014

Federal regulators are planning for a permanent HIPAA audit program that will begin next year. But the audits will be narrower in scope than the 115 in the pilot program during 2012, helping pave the way for a higher number of...

Click Here to Continue Reading!

Providing Electronic Access

HIPAA HITECH and Omnibus have added to the requirement to allow patients to receive a copy of their medical records. In addition to a paper copy, they now have the right to receive an electronic copy if the provider uses an electronic medical...

Click Here to Continue Reading!

Only 5 Days left until HIPAA Omnibus . . . How Many Hours Will Compliance Take?

Healthcare organizations will spend 32.8 million hours complying with the modified HIPAA Omnibus Rule, according to the Department of Health and Human Services' Office for Civil Rights. They state that the bulk of that time – 30.655...

Click Here to Continue Reading!

Are Your Business Associates ready for the September 23 Deadline?

Last week we asked you if your practice was ready for the September 23 Omnibus enforcement deadline. How about your Business Associates? Are they ready? As the date approaches, an error that many business associates are making is thinking that...

Click Here to Continue Reading!

Are You Ready for September 23?

The new HIPAA Omnibus Rule deadline for compliance is nearly here. Are you ready?  What do you have to do? Learn about the Rule. Apply it in your practice. Train your employees on the changes that have been made. Ensure your Business...

Click Here to Continue Reading!

Huge Breach Reported: Over 4 Million Patient Records

The theft of four computers from a Chicago-area physician group practice may have exposed information on more than 4 million patients. Advocate Medical Group, posted reports on its website that the burglary of four unencrypted computers was...

Click Here to Continue Reading!

Highlights for Compliance: HIPAA Omnibus for CEs and BAs

Time is growing short! Here are some highlights from the Omnibus final rule covered entities and business associates should be mindful of to ensure compliance by Sept. 23, 2013. Healthcare Compliance Pros provides training for your practice in...

Click Here to Continue Reading!

Accounting of Disclosures: New Rule?

Now that the long-awaited HIPAA Omnibus Rule has been released and will soon move into the enforcement phase, federal regulators are shifting attention on another overdue rule on the accounting of records disclosures. Federal advisers...

Click Here to Continue Reading!

HIPAA Notice of Privacy Practices (NPP)

Because of the changes brought about through the HIPAA Omnibus Rule, there has been much confusion with regard to the Notice of Privacy Practices, how to make it available to your patients and how to post it at your practice. You may access the...

Click Here to Continue Reading!

Will Breaches Spike With HIPAA Omnibus?

In the past month, the Department of Health and Human Services has added only a handful of breaches to its "Wall of Shame" website of breaches affecting 500 or more individuals. Most of the 2013 breaches added to the tally so far...

Click Here to Continue Reading!

Fraud Unit Breach

The New York state office that investigates Medicaid fraud has suspended one of its own workers after the individual allegedly sent 17,743 records of Medicaid beneficiaries to the employee's personal e-mail account. The employee,...

Click Here to Continue Reading!

Exceptions to the Privacy Rule

In limited circumstances, the HIPAA Privacy Rule permits covered entities to use and disclose health information without individual authorization. Covered entities may use and disclose protected health information without Authorization for their...

Click Here to Continue Reading!

Determining Breaches under HIPAA Omnibus

The new HIPAA Omnibus Rule includes the final regulations on breach notification. While some organizations may not need to change their incident response plans to comply with the final breach notification rule, many others have...

Click Here to Continue Reading!

*Reminder* Privacy and Oral Communications

Oral communications at your practice are extremely important but are often overlooked and forgotten.  This can be a confusing issue and needs serious attention. The Privacy Rule applies to individually identifiable health information in all...

Click Here to Continue Reading!

Unlawful Disclosure of PHI Reminds Us of Importance to Train Staff

The $275,000 settlement concerning potential HIPAA violations between Shasta Regional Medical Center (SRMC) in Redding, Calif., and the Office for Civil Rights (OCR) originated when senior management impermissibly shared details about a...

Click Here to Continue Reading!

*Tip* Remind Workforce Members about Gossip

In a time when so much attention is focused on issues such as cyber security and the dangers posed from evolving technology, it's easy to forget the HIPAA basics such as the need for workforce members not to gossip or chitchat about patients...

Click Here to Continue Reading!

HIPAA Security: Risk Analysis and Risk Management

The Security Management Process standard, at § 164.308(a)(1)(i)) in the Administrative Safeguards section of the Security Rule, requires covered entities to "[i]mplement policies and procedures to prevent, detect, contain, and correct...

Click Here to Continue Reading!

Handling Security Incidents

The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents. NIST, in Special Publication 800-61 Revision 2: Computer Security Incident...

Click Here to Continue Reading!

HIPAA Omnibus Confusion

There's still plenty of confusion about compliance with the HIPAA Omnibus Rule, and HIPAA in general. Here's a sampling of critical issues to be aware of in your practice. Many providers are reluctant, or inconsistent, in disclosing...

Click Here to Continue Reading!

Breach Notification: Four-factor Assessment

Under the HIPAA Omnibus Rule, security incidents are presumed to be reportable data breaches unless healthcare organizations demonstrate through a four-factor assessment that risks are low. The factors that need to be assessed include: The...

Click Here to Continue Reading!

Risk Analysis Made Easier

Healthcare organizations need to conduct a comprehensive Risk Analysis as part of an effective security program. But many fall short, conducting only a HIPAA compliance assessment instead. They don't understand that HIPAA compliance...

Click Here to Continue Reading!

HIPAA Omnibus: Importance of BA Agreements

Healthcare organizations signing new deals with vendors, including many cloud services providers, must make sure that their business associate agreements reflect the requirements of the new HIPAA Omnibus Rule, which went into effect on March 26....

Click Here to Continue Reading!

The Liability Chain in HIPAA Omnibus

The HIPAA Omnibus Rule creates a complex chain of compliance liability among covered entities and their business partners. Under HIPAA Omnibus, covered entities, business associates and subcontractors can be held responsible for the...

Click Here to Continue Reading!

Annual Privacy/Security Walk-through

It's that time again. You should conduct your HIPAA Privacy/Security Walk-through at least annually to identify areas in your office compliance that may need attention. Security experts agree that conducting a walk-through of your practice is...

Click Here to Continue Reading!

Provider gets 12 Years in Prison

The U.S. Attorney's office in Eastern New York recently announced that an owner and officer of a medical equipment company was sentenced to 12 years in federal prison. Helene Michel, 45, was convicted after a three-week jury trial in...

Click Here to Continue Reading!

The Clock is Ticking for Omnibus Rule Compliance

The clock is ticking for compliance with the Sept. 23 deadline for the HIPAA Omnibus Rule, and  healthcare providers with limited resources will find compliance preparation particularly challenging. Providers are still struggling to...

Click Here to Continue Reading!

Healthcare Hacking on the Rise

Though less common than breaches from lost laptops or other devices, hacking is on the rise in healthcare, experts say. Fending off cyber criminals, however, should go beyond treating security as a routine matter of protecting patient...

Click Here to Continue Reading!

Compliance in the Forefront

The HIPAA Omnibus rule goes into effect today, March 26. While organizations have until Sept. 23 to comply with the rules' many provisions, including modifications to the HIPAA security and privacy rules, recent federal breach...

Click Here to Continue Reading!

The New Omnibus NPP

Posting and Distribution Under the Privacy Rule, whenever there is a material change to a Notice of Privacy Practices (NPP), a covered entity must promptly revise and distribute its NPP. The Omnibus Rule confirms that the required amendments...

Click Here to Continue Reading!

HIPAA Omnibus and Medical Devices

The HIPAA Omnibus rule could play an important role in improving the security of medical devices that store patient data. Under the new rule, companies that service medical devices and have access to the patient information they contain...

Click Here to Continue Reading!

HIPAA Omnibus Civil Monetary Penalties

The Secretary of Health and Human Services has been given the authorization through HIPAA HITECH and the final HIPAA Omnibus Rule to impose civil monetary penalties (CMPs) for violations of the Rules.  These penalties apply to medical...

Click Here to Continue Reading!

Business Associates' Liability in Breaches of PHI

Would it surprise you to know that more than half of all breaches (57%) have involved business associates? This is according to a study of recent healthcare breaches. Business associates are third-party vendors that need access to PHI to provide...

Click Here to Continue Reading!

Compliance for Business Associates

To comply with the HIPAA Omnibus Rule, business associates and their subcontractors must immediately take several steps, including thoroughly documenting their privacy and security practices. HIPAA Omnibus makes it clear that business...

Click Here to Continue Reading!

Reporting Breaches under HIPAA Omnibus

The new, much more objective guidance for reporting breaches that's included in the HIPAA omnibus rule will result in an increase in notifications. The revised breach notification guidance clarifies that any unauthorized use or disclosure of...

Click Here to Continue Reading!

How Do We Comply With the New Omnibus Rule?

Healthcare privacy and security leaders are beginning to assess the work their organizations will need to do to comply with the recently published HIPAA Omnibus Rule. For starters, healthcare organizations need to prepare to modify their...

Click Here to Continue Reading!

HIPAA Mega Rule and Business Associates

Business associates of all sizes, as well as their subcontractors, must now get their HIPAA compliance act together. When the new HIPAA Omnibus Rule (Mega Rule) takes effect in the months ahead (compliance date September 23, 2013), business...

Click Here to Continue Reading!

It's Finally Here: The HIPAA "Mega-Rule"

The long-overdue final HIPAA Mega-Rule (HIPAA Omnibus Rule) was released on Jan 17. The package of regulations will be officially posted on the Federal Register on Jan. 25. The final omnibus rule will be effective on March 26, but covered...

Click Here to Continue Reading!

ICD-10 Preparation Checklist

Although the implementation date for ICD-10-CM and ICD-10-PCS (jointly referred to as "ICD-10" throughout the rest of this document) has been postponed to October 21, 2014, it is not too early to begin planning for the transition, and...

Click Here to Continue Reading!

HIPAA Case Settled for $140K

This case is a good example of what can happen when your practice does not adequately protect your patients' PHI. A seemingly simple mistake can turn into a very large fine. Former owners of a Marblehead-based medical billing practice and...

Click Here to Continue Reading!

Accounting for Disclosures *Reminder*

With the new year upon us, here is a helpful HIPAA Privacy reminder for your office. Under HIPAA Privacy and as outlined on your NPP the patient has many rights. One of these is the right to request an accounting of all non-TPO disclosures (any...

Click Here to Continue Reading!

Breach Leads to Change in Culture

A breach that resulted in a $1 million HIPAA settlement led Partners Healthcare in Boston to take many significant steps, including merging its privacy and security efforts, says CISO Jennings Aske. More changes are planned for 2013. Aske now...

Click Here to Continue Reading!

Reminders for Protecting PHI at your Practice

Here are some helpful reminders for protecting PHI at your practice: 1. Manage your password properly: Protect your PHI by managing your password. Selecting a strong computer password (one that is easy for you to remember but difficult for...

Click Here to Continue Reading!

Attorney Requests for PHI

This is a question that is raised frequently. It is sometimes a confusing issue. We hope this clears up any confusion. Q. When an attorney requests records and asks that all records be released, must we comply and send all of the patient's...

Click Here to Continue Reading!

PHI and De-Identification

The HIPAA Privacy Rule protects most "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls...

Click Here to Continue Reading!

HIPAA Mega Rule: We are Still Waiting

Now that the presidential election is finally over, healthcare reform and the HITECH electronic health records incentive program look like they're here to stay. But there's still a big uncertainty lingering: A long-overdue omnibus package...

Click Here to Continue Reading!

What Security Lessons can we Learn from Superstorm Sandy?

An important lesson in the aftermath of Superstorm Sandy is the need to beef up contingency plans, including making sure staff members are cross-trained. "Practices in New York and Jersey affected by the storm found that many staff members...

Click Here to Continue Reading!

Pre-ACO Checklist

Many Accountable Care Organizations have formed across the nation in the past year. Though the ACO model is still developing, one thing is certain: Organizations need to be prepared financially for the new healthcare delivery model. Hospital and...

Click Here to Continue Reading!

Major U.S. Healthcare Data Breaches

Major U.S. healthcare data breaches have surpassed a significant milestone: More than 500 breaches have been confirmed since September 2009, when the U.S. Department of Health and Human Services began keeping tabs. Those incidents, each affecting...

Click Here to Continue Reading!

CMS not Compliant on Breach Notification

CMS did not meet several Recovery Act requirements in reporting 14 breaches of PHI, according to an OIG report. CMS reported that it had 14 breaches of PHI requiring notification under the Recovery Act between September 23, 2009, and December 31,...

Click Here to Continue Reading!

Risk Analysis is the Question…What is the Answer?

While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it is also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although...

Click Here to Continue Reading!

HIPAA's Health Plan Identifier

HHS Secretary Kathleen Sebelius announced recently a final rule establishing a health plan identifier (HPID), that officials say will boost standardization within HIPAA transactions and increase the efficiency of health billing processes. The...

Click Here to Continue Reading!

Kentucky Notifies Clients of Potential email HIPAA Breach

This story should be a warning to managers of all practices. This type of situation can occur when employees are not trained to be vigilant about their email practices while at work. The state of Kentucky is notifying clients of a potential...

Click Here to Continue Reading!

Damage is Spreading from Heathcare Data Breaches

Almost twice as many people were affected by healthcare data breaches in 2011 as in 2010, according to a report released on last week. The total number of breaches dropped by 32% to 145 but the number of people affected by those breaches doubled...

Click Here to Continue Reading!

Provider Settles HIPAA Case for $1.5 Million

Massachusetts Eye and Ear Infirmary (MEEI) and Massachusetts Eye and Ear Associates, Inc. (collectively referred to as "MEEI") has agreed to pay the U.S. Department of Health and Human Services' (HHS) $1.5 million to settle...

Click Here to Continue Reading!

HIPAA and Meaningful Use Now Closely Tied

There's been a lot of hoopla surrounding some of the more eye-catching provisions of the two final rules released last week defining and setting the standard for Stage 2 of Meaningful Use. But one of the most significant aspects of these...

Click Here to Continue Reading!

HIPAA HITECH Stage 2 and MU 2

The best way for you to prepare to comply with HITECH Stage 2 Privacy and Security requirements is for you to start conducting a thorough risk assessment. A risk assessment helps hospitals and physicians identify potential areas of their...

Click Here to Continue Reading!

HIPAA Fines and Jail Time are Real

A New York medical supplier could go to jail for 10 years for wrongfully disclosing private patient information and submitting fraudulent Medicare claims in order to buy a multi-million dollar home and fund a pension plan and investment brokerage...

Click Here to Continue Reading!

OCR Audits: Organizations are Failing in HIPAA Compliance

Too many healthcare organizations are receiving failing grades for HIPAA compliance, an analysis of OCR's first initial audits reveals. The biggest concern for Linda Sanches, OCR senior advisor and health information privacy lead for the...

Click Here to Continue Reading!

Handling Security Incidents

The National Institute of Standards and Technology has issued a revision of its guidance to help organizations establish programs to manage computer security incidents. NIST, in Special Publication 800-61 Revision 2: Computer Security Incident...

Click Here to Continue Reading!

Record Copies Requested from Out-of-State Parties

The following is a recent question that came in from a client that serves as a helpful reminder: Q: We often receive requests from out-of-state attorneys who want us to bill for copies of records in accordance with their state laws. Should we...

Click Here to Continue Reading!

Follow-up on Utah Dept. of Health Breach

When it comes to major data breaches, some organizations meet the minimum requirements for notification and then hope for the best while keeping their heads down and trying to sweep away the mess from public view. But the Utah Department of...

Click Here to Continue Reading!

OCR Posts 17 Large HIPAA Breaches

Has there been an onslaught of large breaches lately? Or is OCR just posting things all at once? Though we don't know for sure, the HIPAA privacy and security enforcer has posted 17 breaches affecting 500 or more individuals over the past...

Click Here to Continue Reading!

OCR Releases Audit Protocol

Want to know what the OCR audits will look like? OCR has let us know. The HIPAA privacy and security enforcer has released its audit protocol. OCR breaks down 77 areas for which it will be reviewing during its initial phase of audits. OCR, per...

Click Here to Continue Reading!

Alaska's Medicaid to Pay $1.7 million for HIPAA Violations

Although your practice is not as large as a state Medicaid agency, you can use this incident as good negative example because the same principles apply to a smaller practice. Alaska's Medicaid program has agreed to pay OCR $1.7 million over...

Click Here to Continue Reading!

Sharing PHI with Specialists

Q: A patient who presented with an order from the primary care physician for lab work had also seen a specialist who ordered x-rays. Both physicians were entered into the system, and both received the laboratory test results and x-rays. The...

Click Here to Continue Reading!

Emergency Access Procedures

Your practice must establish procedures so your employees know how to obtain electronic protected health information (ePHI) during an emergency. Access controls will still be necessary under emergency conditions, although they may be very...

Click Here to Continue Reading!

The HIPAA "Mega Rule" to be Released by the End of Summer

The new HIPAA Rule that we have been anticipating is finally going to be released. The national coordinator for health information technology says the HIPAA "mega rule" should be published by the end of summer. The Mega Rule includes...

Click Here to Continue Reading!

Emory Healthcare Faces Major Breach Lawsuit

This lawsuit is an example of what can happen with the unsecured ePHI at your practice. Your practice may not be as large as Emory Healthcare, but a breach at your practice can have a major impact on your business. Emory Healthcare in Atlanta...

Click Here to Continue Reading!

HIPAA Privacy/Security Walk-Through

You should conduct a HIPAA Privacy/Security Walk-through at least annually to identify areas in your office compliance that may need attention. Here is a reminder of the areas you should address in your walk-through. Security experts agree that...

Click Here to Continue Reading!

Answering Service Messages

This is a question that is often asked. To encrypt or not to encrypt…what am I required to do? Q: If a physician uses an answering service and receives unencrypted messages from an answering service, is it a violation of the HIPAA Security...

Click Here to Continue Reading!

Court Clarifies HIPAA's Criminal Rules: Can You Get Prison Time?

Can you go to prison for violating HIPAA even if you're not aware you're breaking the law? A U.S. appellate court says yes. The decision is an important reminder that ignorance of the law won't protect you from criminal prosecution...

Click Here to Continue Reading!

Business Associates and HIPAA

Recently there has been some confusion about HIPAA and Business Associates. There have been many questions submitted with regard to what is a Business Associate and what are their responsibilities under HIPAA. The following information should be...

Click Here to Continue Reading!

The "Small" Practice and a "Large" Penalty

Because so few organizations have been penalized for failing to comply with HIPAA, many healthcare organizations, especially smaller ones, figured they could get away with paying scant attention to compliance with the HIPAA privacy and security...

Click Here to Continue Reading!

Entitlement of Records

Q: When is Adult Protective Services (APS) entitled to copies of a patient's medical record without a signed authorization? An adult patient was transferred from a hospital to our skilled nursing facility for long-term care. Prior to...

Click Here to Continue Reading!

Requirements for Notification

This question was recently submitted by a client, but this situation could be encountered by any practice: Q. What constitutes a privacy breach that requires notification to patients? Recently, a thief broke into an employee's car and took...

Click Here to Continue Reading!

HIPAA Pitfalls at Physicians Practices

The following is a list of common HIPAA violations seen regularly in physician offices. Check your practice against this list to see if your staff commits the same common violations, and if so, address these problems in advance: * Not providing...

Click Here to Continue Reading!

Security Breaches of PHI

We have received numerous questions regarding how to handle a breach of protected health information. This article is areminder of what you should do. The Department of Health and Human Services (HHS) released guidance regarding the new protected...

Click Here to Continue Reading!

CMS Announces Another Extension of HIPAA 5010 Deadline

CMS announced March 15 that it would once again postpone the enforcement of HIPAA 5010 for three months. CMS initially called for enforcement by the start of 2012, but delayed it until March. The most recent postponement extends to June 30, 2012....

Click Here to Continue Reading!

Security Rule Principles

It is advisable to periodically review the principles of the HIPAA Rules to remind ourselves of the importance of the regulations. Here we will review the principles of the Security Rule. The Security Rule is based on three principles:...

Click Here to Continue Reading!

Unauthorized Disclosure

Q. A patient who carries his or her own state-issued identification card or work-issued identification card loses the card. Is this considered an unauthorized disclosure? Must we notify all parties specified by the relevant regulations? Does the...

Click Here to Continue Reading!

Encryption and HIPAA

Q. Would a covered entity or business associate be in violation of the HIPAA Security Rule if it sends PHI in unencrypted emails to an email address within the same domain using a Microsoft Exchange server behind the organization's firewall?...

Click Here to Continue Reading!

What Compromised Information Constitutes a HIPAA Breach?

Q. The Code of Federal Regulations, specifically 45 CFR 160.103, defines protected health information (PHI). Is the following information PHI? A practice sends a patient a letter that includes the patient's name and address, patient number,...

Click Here to Continue Reading!

Confused about your Risk/Gap Analysis for "Meaningful Use"?

Do you have your Risk/Gap Analysis completed for your practice, which is required to achieve "Meaningful Use" for the CMS EHR Incentive Program? The Risk Analysis provided by Healthcare Compliance Pros is the same as is required for...

Click Here to Continue Reading!

Recent HIPAA Breach Stats

Breaches involving more than 500 patients reached 385 affecting 19,016,807 individuals, according to an analysis by Health Information Privacy/Security Alert of OCR statistics from Dec. 17 through Jan. 17. That represented an increase of five...

Click Here to Continue Reading!

OCR Auditing Program

The Office for Civil Rights says that it makes sense to audit healthcare organizations of all shapes and sizes. After all, one goal of the audit program is to spur across-the-board compliance with the Health Insurance Portability and...

Click Here to Continue Reading!

Power of Attorney Reminder

Q. Is a power of attorney still effective after a patient's death? I was told that a woman whose husband died was not allowed to get a copy of his medical record. She had his power of attorney, but the hospital told her that the power of...

Click Here to Continue Reading!

5010 Transactions and ICD-10

As 2012 begins, it is important to keep your focus on compliance with Version 5010 and beginning to plan for the transition to ICD-10. The Version 5010 deadline was on January 1, 2012; however, because of the 90-day enforcement discretion period...

Click Here to Continue Reading!

HIPAA and Social Networking Conflicts

Some healthcare organizations are using social networks (e.g., Facebook ,Twitter and Myspace), some not, but either way it is a good bet your employees are using these sites to connect with and expand their social networks. That can become a huge...

Click Here to Continue Reading!

HIPAA Campaign Mailing

Q. A large specialty medical group with a nonprofit research foundation allows the foundation to use its patient database for its annual giving campaign mailing. Does this practice violate HIPAA? A. This is acceptable provided that the medical...

Click Here to Continue Reading!

New 5010 Transactions Deadline: Time to Ask Questions

The Centers for Medicare & Medicaid Services (CMS) recently announced that it will extend the deadline from Jan. 1, 2012, to March 31, 2012, for enforcement of HIPAA Version 5010, a more-robust set of claims transmission standards. The extended...

Click Here to Continue Reading!

Upcoming ICD 10 Implementation and Checklist

If you haven't started working on it, there is no time to waste! Your revenue will be at great risk! The compliance date for implementation of the International Classification of Diseases, 10th Edition, Clinical Modification/Procedure Coding...

Click Here to Continue Reading!

Uses and Disclosures *Reminder*

It is good to remember that under HIPAA Privacy and as outlined on your NPP, the patient has many rights. One of these is the right to request an accounting of all non-TPO disclosures (any disclosure that is not for treatment, payment, or health...

Click Here to Continue Reading!

Attorney Requests for Medical Records *Reminder*

Q. A patient signed an authorization eight months ago, and her attorney is now submitting it to obtain a copy of her medical records. Is this authorization still valid, or do we need to get the patient to sign a new authorization? A. The HIPAA...

Click Here to Continue Reading!

The New HIPAA Enforcement: HIPAA Audits

Leon Rodriguez, the new enforcer at the Department of Health and Human Services' Office for Civil Rights, describes his HIPAA enforcement agenda. "As I've learned as a prosecutor and then as a defense lawyer, enforcement promotes...

Click Here to Continue Reading!

Employee EMR Access

Q. May we allow employees who have been granted access to PHI through the workforce clearance procedure to access their own PHI through the electronic medical record (EMR) without first requiring them to sign a release or authorization? A. HIPAA...

Click Here to Continue Reading!

Faxing PHI to the Wrong Fax Number

Q: A fax containing PHI is sent to an incorrect fax number. Did the covered entity (CE) or business associate (BA) violate HIPAA? Must we include this incident in the patient disclosure accounting record? A: Faxing PHI to a wrong number is a...

Click Here to Continue Reading!

Hospital HIPAA Breach Posted on Stanford Website

Stanford (CA) Hospital & Clinics (SHC) reported on its website October 3 that it found a vendor's electronic file that included certain patient information on a student homework website and removed it the following day. But the information...

Click Here to Continue Reading!

Power of Attorney and Deceased Individuals

There have been numerous questions regarding a deceased individual and the rights to their protected health information. The following will answer those questions. Q. Is a power of attorney still effective after a patient's death? I was told...

Click Here to Continue Reading!

Verifying Patient Benefits

Q. An outpatient physical therapy clinic verifies a patient's benefits prior to his or her first visit. When the patient arrives, front desk staff reviews the patient's insurance benefits and out-of-pocket costs. Other patients may...

Click Here to Continue Reading!

EHR Incentive Program: Stage 1 of Meaningful Use

The Medicare EHR Incentive Program will provide incentive payments to eligible professionals, eligible hospitals, and CAHs that demonstrate meaningful use of certified EHR technology. Participation can begin as early as 2011. Eligible...

Click Here to Continue Reading!

Compliance With 5010 Transaction. Will You be Ready?

The HIPAA 5010 compliance date is fast approaching. There are only 100 days left until full implementation on Jan. 1, 2012. As of this date, version 5010 will be required for all HIPAA standard transactions. This means: * HIPAA version 4010A1...

Click Here to Continue Reading!

Health Care Fraud and Criminal HIPAA Violations Case

Why is it important to ensure HIPAA and Medicare fraud training and auditing in your practice? Here is a good example of what can happen: Matthew Paul Brown, 30, formerly of Atlanta, Georgia and Nashville, Tennessee, pleaded guilty in federal...

Click Here to Continue Reading!

NPP Reminders

Q: Patients receive a Notice of Privacy Practices (NPP) at their initial visit that includes information explaining their privacy rights. This includes the patients' right to opt out of the facility directory. Should the covered entity remind...

Click Here to Continue Reading!

HIPAA HITECH-Required Audits

HIPAA compliance auditors contracted by the Office for Civil Rights (OCR) will review whether covered entities have corrective action plans in place and if they diligently work to remediate any problems. Below are the key points of the audits,...

Click Here to Continue Reading!

HIPAA HITECH Breaches

As of Aug. 22, 2011, there have been 306 major health information breaches, which have affected a total of almost 11.7 million individuals included in the official federal tally. Fourteen incidents affecting a total of about 270,000 were added...

Click Here to Continue Reading!

Accounting for Uses and Disclosures

Under HIPAA Privacy and as outlined on your NPP, the patient has many rights. One of these is the right to request an accounting of all non-TPO disclosures (any disclosure that is not for treatment, payment, or health care operations). For this...

Click Here to Continue Reading!

Consent for Lab Reports

Q: After meeting with physicians to review lab reports, patients often request a copy of the report. Is written consent or authorization required before the physician provides the patient with a copy? A: Written consent or authorization is not...

Click Here to Continue Reading!

HIPAA HITECH Audit Program

The long-overdue HIPAA compliance audit program likely will launch late this year or early in 2012 after test audits are completed by the Office for Civil Rights (OCR). The first step will be creation of a comprehensive set of protocols for how...

Click Here to Continue Reading!

Manage Your Password Properly

Selecting a strong computer password, one that is easy for you to remember but difficult for someone else to guess, is an essential step in securing your practice's information. Generally, you should select a password that: (1) Includes both...

Click Here to Continue Reading!

Attorney Requests

Q. When an attorney requests records and asks that all records be released, must we comply and send all of the patient's medical records? A. If the request was accompanied by the patient's authorization, review the authorization to...

Click Here to Continue Reading!

Sign-in Sheets

Q. Do patient sign-in sheets violate the HIPAA Privacy Rule? If they don't, does a recommended format exist? A. Covered entities are responsible for limiting incidental disclosures. Using a patient sign-in sheet is allowed but can be...

Click Here to Continue Reading!

HIPAA Indictment . . . Boosting Awareness of Privacy Rule

We've often said that if authorities initiated more high-profile legal actions against alleged HIPAA violators, it would go a long way toward boosting compliance. So we're glad to see that federal prosecutors in Virginia have announced an...

Click Here to Continue Reading!

More Highlights of the HIPAA Disclosure Proposed Rule

Check out this summary regarding the HIPAA Privacy Rule accounting of disclosures proposed rule published by HHS in the Federal Register May 31. The proposed rule: * Applies to any medical and healthcare payments records as well as any records...

Click Here to Continue Reading!

HIPAA Disclosures Proposed Rule Requires Added Auditing Methods

HIPAA experts say the major take-away from the HIPAA Privacy Rule disclosures proposed rule is the need to revisit existing auditing methods for disclosures of protected health information. The proposed rule requires a more in-depth and on-going...

Click Here to Continue Reading!

More on HIPAA's Accounting of Disclosures Proposed Rule

Covered entities (CE) and business associates (BA) finally know the details of the accounting of disclosures provision in HITECH now that the Department of Health & Human Services (HHS) released a proposed rule on May 27. It was published in the...

Click Here to Continue Reading!

BA Contracts under HIPAA HITECH

Many of you have inquired about the following question regarding business associates over the past weeks, so we thought we would review this again. Q: A covered entity encounters difficulty when executing updated business associate contracts....

Click Here to Continue Reading!

HHS Publishes HITECH Accounting of Disclosures Proposed Rule

On Friday, May 27, 2011, the Department of Health & Human Services (HHS) published a HITECH-required proposed rule on accounting of disclosures of electronic health records (EHRs). The rule will ultimately lay the foundation for what healthcare...

Click Here to Continue Reading!

Copies of MRI reports

Q. We are a referral-based MRI facility. As a standard procedure, we fax MRI reports to referring providers after radiologist review. Patients can schedule follow-up appointments with referring providers to obtain results of their MRI scans....

Click Here to Continue Reading!

OCR Investigation Tip: Cooperate With Investigators

The Office for Civil Rights (OCR) has statutory authority to enforce the HIPAA Privacy and Security Rules. And now, pursuant to HITECH, state attorneys general also have enforcement authority. An investigation can start with a letter or a civil...

Click Here to Continue Reading!

Working with Multiple Providers

We have received a lot of questions about this issue lately. It is important that you are aware of this practice and what you should do about it. Q: Our billing company provides services to multiple providers. The billing company requires the...

Click Here to Continue Reading!

Faxing Protected Health Information

Recently, a client called in requesting clarification of whether or not they had violated HIPAA Privacy rules due to faxing protected health information (PHI). The following was their scenario and our answer: Scenario: Last week, a private...

Click Here to Continue Reading!

HIPAA Privacy/Security Walk-Through

Security experts agree that conducting a walk-through of your practice is a good way to make sure your employees are following the requirements set out in your practice's HIPAA Privacy and Security policies and procedures. Here's a...

Click Here to Continue Reading!

Emergency Access Procedures Reminder

Your practice must establish procedures so your employees know how to obtain electronic protected health information (ePHI) during an emergency. Access controls will still be necessary under emergency conditions, although they may be very...

Click Here to Continue Reading!

Releasing Records of Substance-abusing Minor

Q: A 16-year-old patient has admitted to extensive substance abuse, which is documented in his medical record. His father is requesting the record. Must we obtain the patient's authorization prior to releasing? A: Under federal law (42 CFR,...

Click Here to Continue Reading!

Reasonable Safeguards *Reminder*

HIPAA requires that covered entities have in place "appropriate administrative, technical, and physical safeguards" for protected health information (PHI). The Privacy Rule, which also extends to non-electronic information, does not...

Click Here to Continue Reading!

Test Results Sent to Wrong Doctor

We have received some recent inquires from offices regarding the following question: Is it a HIPAA violation that needs to be reported when the wrong doctor receives a patient's test results? (For example: patient X goes to a specialist and...

Click Here to Continue Reading!

EHR Accounting of Disclosures Rule Close to Publication

The Department of Health & Human Services recently pushed forward a HITECH-required proposed rule on accounting of disclosures of EHRs. The rule will lay the foundation for what healthcare providers will be accountable when patients request...

Click Here to Continue Reading!

HITECH Tips for Your Beginner Staff: Disclosure of PHI

The HITECH Act modifies the HIPAA Privacy Rule requirement so that covered entities will be in compliance if the PHI access, use, and disclosure are limited to either the minimum necessary or a "limited data set." The HIPAA Privacy Rule...

Click Here to Continue Reading!

OCR Comments on HIPAA HITECH Rules to be Released in 2011

A senior official with the Office for Civil Rights (OCR) said recently that the enforcer of the HIPAA Privacy and Security Rule plans to release final rules regarding HITECH and HIPAA next year. He stated that they did not know specifically when...

Click Here to Continue Reading!

Accounting for Uses and Disclosures of PHI

Are you remembering to account for the disclosures of PHI? Some healthcare providers are not compliant with this part of the Privacy Rule. Under HIPAA Privacy and as outlined on the NPP, the patient has many rights; one of these is to request an...

Click Here to Continue Reading!

HIPAA Reasonable Safeguards

HIPAA requires that covered entities have in place "appropriate administrative, technical, and physical safeguards" for protected health information (PHI). The privacy rule, which also extends to non-electronic information, does not...

Click Here to Continue Reading!