Eagle Associates Staff Archives | Page 14 of 20

Protective Measures Following A Breach

July 16, 2019/in Eagle Associates Staff/by Eagle Staff

When your practice determines that a privacy breach is reportable, notification to patients must be provided within 60 calendar days from the date of discovery of the incident. The notice to patients must include:

a brief description of the breach;
the types of information that were involved;
a brief description of what your practice is doing to investigate the breach, mitigate any harm, and prevent further breaches (corrective actions); and
contact information for the practice’s Privacy Officer (in the event the patient has questions regarding the breach).

It is also required that your practice provide notice of any steps that affected individuals should take to protect themselves from potential harm that might result from the breach. This article addresses the types of protective measures available to patients following a breach, when they should be recommended, and who should provide for them.

Providing Credit Monitoring & Identity Theft Protection Services

The Breach Notification Rule does not stipulate whether credit monitoring and identity theft protection services should be provided for patients who have had their PHI breached. The decision whether or not to provide those services is left to the discretion of your practice. However, your practice is required to provide patients with details of the steps that should be taken (by them) to mitigate further risk and protect themselves from harm.

Credit monitoring may not be necessary for all confirmed breaches. Breach of credit card numbers and Social Security numbers (SSNs) present the most risk for identity theft or fraud. According to fraud experts, simply having full name and address does not enable theft or fraud. However, having full name, address, date of birth (DOB) and SSN would place someone at significant risk of identity theft.

Note that some states have enacted legislation requiring credit monitoring to be offered for all data breaches. Your state medical or dental society can provide information on your state’s position.

Consider the Public Relations (PR) Factor

Providing credit monitoring can reverse any ill will that the privacy breach has caused by demonstrating a genuine concern for the patient’s privacy. This relatively simple action may lessen the likelihood that the patient will file a privacy complaint with the Office for Civil Rights (OCR) or complain to others about your practice. An OCR complaint could result in significant administrative time to respond to an investigation and could potentially result in civil monetary penalties.

Place yourself in the patient’s shoes. If you have to send them notification of a confirmed breach, you’ve just told them that your practice has improperly disclosed their PHI and perhaps, as a protective measure, they should monitor their credit. Offering credit monitoring at no expense to the patient alleviates a burden that resulted from actions of the practice.

Credit Monitoring

While the credit reporting bureaus – Equifax, Experian, and TransUnion – must provide consumers with a free credit report once every 12 months upon request, ongoing credit monitoring services include providing alerts to patients whenever the company receives notification of an application for credit, loans, or when personal information, such as an address or phone number is changed.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as SSNs, as well as driver’s license, medical ID, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the types of data that have been exposed, the likelihood of data being used for identity theft and fraud, and the risk of data being sold.

If you attempt to sign up for a credit monitoring service on the patient’s behalf, the company may see it as an attempt at credit or identity theft. It is recommended that you inform the patient of your willingness to reimburse them for such services, or you could offer an up-front payment to the patient once they have selected a service.

The cost of a one-year plan can range from $100 to $250 for an individual. Considering the cost of dealing with an unhappy patient and a possible OCR inquiry, one year of credit monitoring can be a wise investment for the practice.

Credit Freeze

The Federal Trade Commission (FTC) recommends that if someone is concerned about identity theft, data breaches, or someone gaining access to their credit report without permission, they might consider placing a credit freeze on their report. Depending on the nature of the breach, you might recommend that your patients consider a credit freeze.

A credit freeze will not prevent thieves from making charges to existing accounts, but this free tool lets people restrict access to their credit reports, which in turn makes it more difficult for identity thieves to open new accounts in the person’s name. A credit freeze does not affect a person’s credit score nor prevent the person from getting a free annual credit report. A credit freeze does not keep a person from opening a new account, renting an apartment, or buying insurance, however a person might need to temporarily lift a freeze to accomplish these things. It is free to lift a credit freeze and free to place it again.

A freeze remains in place until the person asks the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, the bureau must lift the freeze within three business days from receipt of the request.

You may direct patients to the FTC recommendations at:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Summary

All potential breaches should be investigated and documented. Final determinations on whether an incident requires notification of patients and protective measures is at the discretion of your practice.

Business Associates vs. Vendors

June 5, 2019/in Eagle Associates Staff/by Eagle Staff

Most covered entities have business relationships with vendors or service providers that fall into the category of business associates, as defined by HIPAA rules. The factor that will decide whether or not there is a business associate relationship with a particular service provider is whether the individual or entity handles protected health information (PHI) as part of the services that they provide to the practice.

Business Associates

Following is a definition of a business associate, according to the Privacy Rule:

Business Associates – In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.

Examples of business associates include:

Companies that help doctors get paid for providing health care, including billing or collection companies and companies that process health care claims

People like outside lawyers, accountants and IT specialists (if their work requires access to or disclosure of PHI)

Companies that store or destroy medical records, such as shredding companies, storage facilities (for paper records) and cloud-based data storage vendors (for electronic records)

Companies that provide data transmission services with respect to PHI, such as secure email or Internet-based fax services

Voice Over Internet Protocol (VOIP) phone service providers

Companies that provide phone answering, mailing or transcription services

It is not necessary that the entity use the protected health information, but only that your practice intentionally provides access to or discloses it to the business associate as part of the service relationship. For example, although a cloud-based data storage company may simply store data (that contains PHI) for the practice and does not use it, the covered entity has made an intentional disclosure of PHI to the company and in turn it is providing the service of storage to the covered entity. Therefore, the data storage company is considered a business associate subject to HIPAA rules. It is very important to establish a written Business Associate Agreement with such entities prior to disclosing PHI to them.

Vendors

There are some entities that may have inadvertent access to PHI due to their presence in your practice, such as janitorial staff or a pharmaceutical rep, that are not considered business associates. In most cases these vendors will only have incidental access, such as overhearing a part of a conversation concerning a patient or seeing a patient’s name on a chart. Protected health information is not intentionally disclosed to these entities, nor are they provided with persistent access to it. And, as long as the covered entity has reasonable safeguards in place and these disclosures are limited in nature, they are not a violation of HIPAA Rules.

For complete information regarding business associate agreements and vendor confidentiality agreements, please refer to the article on page 5 of the May issue of the American Practice Advisor® titled “Business Associate vs. Vendor Confidentiality Agreements.”

HIPAA Workforce Sanctions

March 19, 2019/in Eagle Associates Staff/by Eagle Staff

Sanctions, also known as penalties or disciplinary actions, are a common requirement when implementing regulatory requirements. HIPAA Rules specifically state that a Covered Entity (i.e., a medical or dental practice) must implement policies to prevent, detect, contain, and correct privacy and security violations and apply appropriate sanctions against members of their workforce who fail to comply with policies and procedures.

The HIPAA definition of workforce meansemployees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

A recent Eagle Associates News page article Preventing HIPPA Violations referenced a practice that was fined $125,000 for unauthorized disclosures of PHI. Another reason for the civil monetary penalty was that the practice did not sanction the provider that made the disclosures. This draws attention to the fact that no member of the practices’ workforce is exempt from sanctions when they are involved in a HIPAA-related violation

Sanction Policy and Types

Covered entities must maintain a written policy establishing a set of disciplinary actions that may be imposed when a workforce member violates its Privacy or Security policies. The policy should explain that sanctions will be applied equally to any workforce member that is at fault regardless of title or length of employment (including management and officers). The policy should further outline that the actual sanction that is imposed for a given violation will be based on the risk to the patient’s PHI, repeat offenses, intent, and actual impact on PHI. The authority for imposing sanctions lies with the practice’s Privacy Manager, Security Officer, and management personnel. Having multiple persons involved ensures an appropriate review of circumstances and determination of the appropriate sanction to be imposed.

Workforce members must be provided notice of possible sanctions for violations. This can be easily communicated in a confidentiality agreement that outlines the workforce member’s responsibilities, and consequences for failing to comply with practice policies.

HIPAA Sanction Examples

The Security Officer, Privacy Manager and/or Compliance Committee should impose the sanction(s) that they determine to be appropriate, considering the severity of the incident, the intent of the workforce member, and the number of prior incidents in which the individual has been involved. Following are examples of possible sanctions that may be imposed:

A verbal reprimand should be imposed for incidents that are deemed to be minor, and for first occurrence of an incident by an individual.

A written reprimand should be imposed for incidents that are a repetition of an incident, or a different incident that involves the same individual.

A staff member may be temporarily suspended from work to prevent him/her from accessing protected health information, for a length of time to be determined by the Security Officer or Privacy Manager. The length of the suspension will be dependent upon the type and the severity of the incident and/or the repetition of offenses by the individual.

A staff member may be terminated from the practice for malicious or other serious failure to follow HIPAA policies and procedures implemented by the practice.

The written policy and sample sanctions should enable a practice to determine an appropriate sanction for the incident being addressed. Again, sanctions need to be applied to all workforce members that violate HIPAA policies and procedures. Perhaps the most difficult sanctions are those that need to be applied to providers and management personnel. Due to the sensitivity and possible resistance to sanctions for providers and management personnel, it is recommended to have a discussion with compliance officers and management before violations occur.

Recommended Actions for Sanctions Compliance

Ensure that your practice has written sanction policies. Practices with Eagle’s HIPAA policy manuals should review Sections 1.14 and 1.14a and either:
1. Implement those policies or;
2. Implement existing HR or other practice policies intended to address HIPAA violations.
Ensure that workforce members are aware of possible sanctions for HIPAA violations. We recommend using a confidentiality agreement (Form 7.10 from the Eagle Associates HIPAA policy manual) for all workforce members to inform them of sanctions and possible actions.
Ensure that sanctions are imposed and documented in the workforce member’s personnel file.
Provide workforce member training for Privacy, Security, and Breach Notification Rule requirements. Using Eagle Associates’ Compliance Training modules for HIPAA (occurring in April, May, and June issues of the Advisor) will document that the practice has met requirements for training and awareness.

Preventing HIPAA Violations

January 18, 2019/in Eagle Associates Staff/by Eagle Staff

The Office for Civil Rights has highlighted recent enforcement actions. An often-asked question from clients is – what are common HIPAA violations and how can they be avoided? Because there are numerous requirements and unique situations for practices, the solution to avoiding HIPAA violations cannot be found in any one action. It is critical to implement, monitor, and maintain compliance–which is easier stated than accomplished.

Use Available Tools and Resources – As a client of Eagle Associates you may have tools available to make the process of monitoring and maintaining compliance easier (policy manuals, forms, training materials, audit plans/checklists). One of the most important resources is Live Support, available at no additional cost. The following three examples are recent enforcement actions that could have been avoided by monitoring compliance activities (see Preventive Measures, at the end of each example in this article to identify Eagle resources that may help prevent such violations).

1 – Business Associate Problem – A Florida physicians group shared protected health information (PHI) with an unknown vendor without a business associate agreement.

The physicians group agreed to pay $500,000 to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. The group provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.

Between November 2011 and June 2012, the group engaged the services of an individual that represented himself to be a representative of a Florida-based billing company. The individual provided medical billing services to the physician group using the billing company’s name and website, but allegedly without any knowledge or permission of the billing company owner.

On February 11, 2014, a local hospital notified the physician group that patient information was viewable on the billing company’s website, including name, date of birth and social security number. In response, the physician group was able to identify at least 400 affected individuals and asked the billing company to remove the PHI from its website. Recognizing this as a privacy breach, the group filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, the group filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

OCR’s investigation revealed that the group never entered into a business associate agreement with the individual providing medical billing services, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014. Although the group had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerability to the confidentiality, integrity, and availability of its electronic protected health information (EPHI).

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

In addition to the monetary settlement, the physician group will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

Preventive Measures – The violation could have been avoided by:

having written policies and procedures regarding business associates
- see Section 3.17 of your HIPAA Policy Manual

establishing Business Associate Agreements
- see Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template

conducting regular Security Risk Analyses
- see Section 4.06 of your HIPAA Policy Manual and the Security Risk Analysis tool in the Member Services area of our web site.

2 – Access Problem – A Colorado hospital failed to terminate a former employee’s access to EPHI.

The hospital agreed to pay $111,400 to the OCR and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The hospital is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.

The settlement resolves a complaint alleging that a former hospital employee continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that the hospital impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

Under the two-year corrective action plan, the hospital has agreed to update its security management and business associate agreements, policies and procedures, and provide security training to its workforce.

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all entities that qualify as business associates before disclosing protected health information.

Preventive Measures – The violations could have been prevented by:

implementing termination policies as required by HIPAA’s Security Rule
- See Section 4.08c of your HIPAA Policy Manual for termination policies.

following policies for establishing a business associate relationship
- See Section 3.17 of your HIPAA Policy Manual for policies regarding business associates.

obtaining a Business Associate Agreement
- See Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template.

3 – Unauthorized Disclosure of PHI – An allergy practice made an unauthorized disclosure of PHI to a news reporter.

The allergy practice agreed to pay $125,000 to the OCR and to adopt a corrective action plan to settle potential violations of HIPAA’s Privacy Rule. The practice is a health care practice that specializes in treating individuals with allergies and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of the practice contacted a local television station to speak about a dispute that had occurred between the patient and one of the practice’s doctors. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.

OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by the practice’s Privacy Officer to either not respond to the media or respond with “no comment.”

Additionally, OCR’s investigation revealed that the practice failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.

In addition to the monetary settlement, the practice will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Preventive Measures – The violations could have been prevented by:

ensuring that workforce members are trained on HIPAA requirements and follow guidance provided by compliance staff
- See the Employee HIPAA Orientation Handbook and annual HIPAA Privacy Rule training module in the April issue of the Advisor®.

enforcing sanctions when workforce members violate policies
- See Section 1.14 of your HIPAA Policy Manual for sanction policies.

Not all potential HIPAA violations are easily identified and solved. A good rule to follow is when in doubt use caution, ask questions and get advice. Again, as a client of Eagle Associates, you have great resources available to help you avoid such problems. We invite you to call or email us with questions.

Notice of Privacy Practices

October 8, 2018/in Eagle Associates Staff/by Eagle Staff

Notice of Privacy Practices

There are several requirements pertaining to a covered entity’s Notice of Privacy Practices. There are requirements for specific content, for posting the Notice, for providing copies to patients, and obtaining an acknowledgment of receipt.

Assuming your practice has developed or obtained a compliant Notice for use, this article will help ensure it is posted and available to patients as required.

If your practice uses our HIPAA Compliance System, a compliant Notice is included and updated as necessary. The content requirements that are adhered to are explained in section 3.11 of the HIPAA Policy Manual.

Posting the Notice

A current copy of the Notice must be posted in a conspicuous area of the practice, such as in the patient check-in or waiting area. If the practice maintains a website that provides information about its customer services, a copy of the Notice must be posted prominently and available to print. An example of prominent posting would include a direct link from the home page with a clear description that the link is to the HIPAA Notice of Privacy Practices.

Provision of the Notice

A copy of the Notice must be provided to each individual upon the first delivery of service (including service delivered electronically), and as soon as practicable after an emergency treatment situation. A copy of the Notice must also be provided whenever requested by an existing or prospective patient.

If your practice revises your Notice, it is not necessary to distribute the revised version to existing patients that had received a copy of the original version. The new Notice must only be provided to existing patients upon request. As a courtesy, you may let patients know with a sign or communication from front desk staff that your Notice has changed, and that copies of the Notice are available upon request.

When the Notice is provided upon first service, the practice is required to make a good faith effort to obtain an acknowledgement from the patient that a copy of the Notice was received. You may simply record a note in the patient’s record if you are unable to obtain an acknowledgement for some reason. The practice is not required to obtain an acknowledgement of receipt if further copies of the Notice are requested.

Acknowledgement of Receipt

We are often asked whether a patient’s acknowledgement of receipt (of the Notice) can be combined with an authorization form. Unfortunately, the answer is no. Authorization forms may not be combined with any other form and must contain a number of required elements.

The good news is that you may combine a patient acknowledgement with your standard new patient form—one that asks the patient to fill in his/her demographic/contact information.

A sample acknowledgement appears below, and as mentioned, may be added to an existing new patient form. The Privacy Rule does not specify the form of written acknowledgment, so if you’ve been using a different type, such as having patients provide their initials, that is perfectly fine.

Maintaining Earlier Versions

Outdated versions of the Notice must be maintained for a minimum of six years from the date they are superseded by a newer version.

The American Practice Advisor publication

August 10, 2018/in Eagle Associates Staff/by Eagle Staff

The Advisor® is Going Digital!

Beginning in January 2019, the Advisor® will transition to an all-digital format.

There are several benefits to this format:

faster delivery—no more waiting for the postal service;
links from the cover page to every article;
links to web sites that are referenced within articles;
flexibility in formatting of information to make it more useful;
links to print out just the Compliance Training materials, Compliance Notes or Trainer’s Plan pages;
the Advisor® will still be provided in a format that would allow you to print a hard copy, if desired.

Our production and mailing costs have gone up significantly in recent years, but moving to a digital format will allow us to keep the subscription price steady at $195 per year. We will continue to offer support via phone and email to answer your compliance questions as part of the subscription service.

A link to the current Advisor® issue, Trainer’s Plan, Compliance Training materials and Compliance Notes will be delivered to current subscribers via email at the first of each month. To ensure delivery of monthly messages, please let us know if your email address changes. We will also monitor bounced emails from our end in an effort to promptly solve delivery issues.

We are constantly striving to provide the best service possible to our clients. Contact our office if you have any questions or concerns regarding the transition. You can reach us via email at info@eagleassociates.net, or via phone at (800) 777-2337.