hipaa Archives | Page 2 of 4 | Eagle Associates, Inc.

Tag Archive for: hipaa

Preventing HIPAA Violations

January 18, 2019/in Eagle Associates Staff/by Eagle Staff

The Office for Civil Rights has highlighted recent enforcement actions. An often-asked question from clients is – what are common HIPAA violations and how can they be avoided? Because there are numerous requirements and unique situations for practices, the solution to avoiding HIPAA violations cannot be found in any one action. It is critical to implement, monitor, and maintain compliance–which is easier stated than accomplished.

Use Available Tools and Resources – As a client of Eagle Associates you may have tools available to make the process of monitoring and maintaining compliance easier (policy manuals, forms, training materials, audit plans/checklists). One of the most important resources is Live Support, available at no additional cost. The following three examples are recent enforcement actions that could have been avoided by monitoring compliance activities (see Preventive Measures, at the end of each example in this article to identify Eagle resources that may help prevent such violations).

1 – Business Associate Problem – A Florida physicians group shared protected health information (PHI) with an unknown vendor without a business associate agreement.

The physicians group agreed to pay $500,000 to OCR and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. The group provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida.

Between November 2011 and June 2012, the group engaged the services of an individual that represented himself to be a representative of a Florida-based billing company. The individual provided medical billing services to the physician group using the billing company’s name and website, but allegedly without any knowledge or permission of the billing company owner.

On February 11, 2014, a local hospital notified the physician group that patient information was viewable on the billing company’s website, including name, date of birth and social security number. In response, the physician group was able to identify at least 400 affected individuals and asked the billing company to remove the PHI from its website. Recognizing this as a privacy breach, the group filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, the group filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

OCR’s investigation revealed that the group never entered into a business associate agreement with the individual providing medical billing services, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014. Although the group had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerability to the confidentiality, integrity, and availability of its electronic protected health information (EPHI).

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.

In addition to the monetary settlement, the physician group will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

Preventive Measures – The violation could have been avoided by:

having written policies and procedures regarding business associates
- see Section 3.17 of your HIPAA Policy Manual

establishing Business Associate Agreements
- see Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template

conducting regular Security Risk Analyses
- see Section 4.06 of your HIPAA Policy Manual and the Security Risk Analysis tool in the Member Services area of our web site.

2 – Access Problem – A Colorado hospital failed to terminate a former employee’s access to EPHI.

The hospital agreed to pay $111,400 to the OCR and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The hospital is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.

The settlement resolves a complaint alleging that a former hospital employee continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that the hospital impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a business associate agreement in place.

Under the two-year corrective action plan, the hospital has agreed to update its security management and business associate agreements, policies and procedures, and provide security training to its workforce.

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all entities that qualify as business associates before disclosing protected health information.

Preventive Measures – The violations could have been prevented by:

implementing termination policies as required by HIPAA’s Security Rule
- See Section 4.08c of your HIPAA Policy Manual for termination policies.

following policies for establishing a business associate relationship
- See Section 3.17 of your HIPAA Policy Manual for policies regarding business associates.

obtaining a Business Associate Agreement
- See Form 7.22 in the Forms section of your HIPAA Policy Manual for a HIPAA-compliant Business Associate Agreement template.

3 – Unauthorized Disclosure of PHI – An allergy practice made an unauthorized disclosure of PHI to a news reporter.

The allergy practice agreed to pay $125,000 to the OCR and to adopt a corrective action plan to settle potential violations of HIPAA’s Privacy Rule. The practice is a health care practice that specializes in treating individuals with allergies and is comprised of three doctors at four locations across Connecticut.

In February 2015, a patient of the practice contacted a local television station to speak about a dispute that had occurred between the patient and one of the practice’s doctors. The reporter subsequently contacted the doctor for comment and the doctor impermissibly disclosed the patient’s PHI to the reporter.

OCR’s investigation found that the doctor’s discussion with the reporter demonstrated a reckless disregard for the patient’s privacy rights and that the disclosure occurred after the doctor was instructed by the practice’s Privacy Officer to either not respond to the media or respond with “no comment.”

Additionally, OCR’s investigation revealed that the practice failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media.

In addition to the monetary settlement, the practice will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules.

Preventive Measures – The violations could have been prevented by:

ensuring that workforce members are trained on HIPAA requirements and follow guidance provided by compliance staff
- See the Employee HIPAA Orientation Handbook and annual HIPAA Privacy Rule training module in the April issue of the Advisor®.

enforcing sanctions when workforce members violate policies
- See Section 1.14 of your HIPAA Policy Manual for sanction policies.

Not all potential HIPAA violations are easily identified and solved. A good rule to follow is when in doubt use caution, ask questions and get advice. Again, as a client of Eagle Associates, you have great resources available to help you avoid such problems. We invite you to call or email us with questions.

Appointment Reminders

July 17, 2018/in Eagle Associates Staff/by Eagle Staff

Reminding patients of their scheduled appointments with your practice is critical to ensuring appropriate follow up care for the patient as well as limiting missed appointment times that are costly to a practice in many ways.

Appointment reminders are considered part of treatment of an individual and, therefore, can be made without an authorization. However, a practice must include a statement in its Notice of Privacy Practices if it intends to provide appointment reminders.

Notice of Privacy Practices – We recommend adding a simple statement in your Notice of Privacy Practices, such as “we will contact you by phone or other means to remind you of appointments”.

It is also recommended that you have the patient identify a “preferred method of communication” for such information as appointment reminders. This can be accomplished on a demographic form where the patient can fill in a phone number, cell number, or email address that you can use to call, text, or email them. The patient should be able to fill in their preferred contact information (they write their number or email address) and indicate the method of communication (phone call, text message, email). Your form should also provide a checkbox for the patient to opt out of electronic communications.

We are often asked whether postcard appointment reminders are permitted, and they are. However, if a patient submits a request to receive appointment reminders in a closed envelope instead of a postcard, or through some other means altogether, their request should be accommodated.

Placing a statement in your Notice of Privacy Practices and also having the patient write down their preferred method of communication will provide your practice with a clear understanding of how to best communicate with the patient.

Note that your practice should limit information in appointment reminders to confirming the date and time of an appointment, and, if necessary, the location. More sensitive information such as reason for the appointment, diagnosis or other treatment related information should be communicated in a more secure manner (i.e., use of a secure patient portal system).

Posting Patient Photos

June 14, 2018/in Eagle Associates Staff/by Eagle Staff

In 2014, the Office for Civil Rights addressed the issue of posting patient photos in a medical or dental practice (most commonly of pediatric and orthodontic patients). In an article dated August 9, 2014, the New York Times quoted Rachel Seeger, from the Office for Civil Rights of the Department of Health and Human Services, as saying “A patient’s photograph that identifies him/her cannot be posted in public areas” unless there is “specific authorization from the patient or personal representative.” Under HIPAA’s Privacy Rule, sharing identifiable information without an authorization from the patient (or the patient’s parent, in the case of a minor) is a violation.

Rarely, if ever, does a parent know to include an authorization with a photo submission. It seemed to make perfect sense that submission of a patient photo was, by default, an authorization for its posting. However, since the OCR has specifically addressed the issue, we don’t recommend posting photos without a proper authorization form in place.

If your practice does not have the time or resources to track down authorizations for photos sent in by families, you are permitted to post photos in a private staff area, as workforce members are permitted to view patient information, and are responsible to hold it confidential under HIPAA regulations. Other practices may choose to circulate photos among staff before filing them in a patient chart or shredding them. However, if it has become an important custom in your practice to share patient photos, such as by posting them in the waiting area, you may use the following language and required elements to develop an appropriate authorization form.

Include a space for the patient or personal representative to record the patient name, and an identifier, such as date of birth.
Include the name of the practice, under a heading “Entity Requested to Release Information.”
“Purpose of Request/Entity Authorized to Receive Information – I authorize the entity identified above to disclose the protected health information described below to the following individual(s):
- Patients and visitors to the practice.”
“Description of Information to Be Disclosed – I authorize the practice to disclose the following protected health information to the entity, person or persons identified above.
- Images of myself, my children, and/or other family members as provided by myself, or my personal representative.”
“Purpose of Disclosure:
- By submitting these images, I hereby grant full permission to the practice to use them in print publications, video and multimedia presentations, websites and/or for any purpose which may include, but not be limited to display, public relations, marketing or designs.”
Required Statements:
Include an expiration date or meaningful event when the authorization will expire, a statement regarding the patient/personal representative’s right to terminate the authorization, a non-conditioning statement, a re-disclosure statement, and a statement of the patient/personal representative’s right to receive a copy of the authorization upon request. All of these statements are required on any HIPAA authorization form. Simply copy the required statements from your practice’s other authorization forms.
Include a signature and date line.

Subscribers to the HIPAA Compliance System may access a photo release authorization form (Form 7.31 Limited Patient Authorization for Disclosure of PHI/Photo Release) in the Member Services area of our website (on the HIPAA Compliance System materials page, under the HIPAA Forms heading). The form is in a word processing format so that it can be easily customized to the needs of your practice.

Cyber Extortion

April 26, 2018/in Eagle Associates Staff/by Eagle Staff

According to the Office for Civil Rights (OCR), incidents of cyber extortion have risen over the past few years and are projected to be a major source of digital disruption in the future. Cyber extortion is defined as a crime involving an attack or threat of attack, coupled with a demand for money to stop it. In addition to ransomware attacks, where cyber criminals encrypt your data and demand a ransom to restore your access to it, cyber extortion includes threats to make stolen information public, or to delete files altogether.

It is important to realize that even the smallest practices have been a target, due to the fact that patient information is valuable and smaller organizations are sometimes more lax in securing their information systems. Please consider the following recommendations in order to limit your liability exposure:

Security Risk Analysis (SRA) – Ensure that you perform a complete review of your HIPAA Security Rule policies and procedures on an annual basis. Remember that a SRA involves verifying that you have implemented policies/procedures to limit risk to your electronic protected health information (EPHI). Current subscribers to Eagle’s HIPAA Compliance System have a complete SRA tool to meet this annual requirement.

Technical Network Assessment (TNA) – A TNA involves a diagnostic evaluation of your information system to look for open unsecured ports, devices missing security patch updates, enabled User IDs that should have been terminated, and more. Documentation from a TNA works in concert with a SRA, and provides strong evidence of applying reasonable safeguards to limit risks to patient information.

Workforce Privacy and Security Training – Awareness for privacy and security is critical to the front-line defense for your information system. Eagle provides privacy and security training in the April and May issues of the Advisor® to help with this task. Eagle also provides “Compliance Notes” (a monthly one-page article in the Advisor®) to remind staff about privacy and security issues. Train staff to identify suspicious emails and messaging scams that could lead to malicious software infecting your information system.

Anti-virus or anti-malware systems – Ensure that you have a strong firewall and anti-virus applications that can scan your information system and provide alerts when suspicious activity occurs. The keys are to implement such applications and monitor the alerts so that immediate corrective actions can be taken.

Data backups – Your data backup procedures should ensure that backup data is encrypted and disconnected from your local server/network (having the data physically taken off site each night or backed up to a secure remote server). Having the backup data stored off site will be critical to your recovery in the event of a disaster or attacks from ransomware.

Audit Logs – While most EMR and operating systems have robust audit logs, they need to be periodically reviewed for unusual or suspicious activity. Create a schedule of reviewing activity reports on at least a monthly basis.

Threats to your information system and the patient data that you store will not diminish in the future, they will likely intensify. Take steps now to ensure your EPHI is protected from known threats by completing a security risk analysis and technical network assessment. These evaluations will help you improve the security of your practice’s information system and reduce your liability.

HIPAA Privacy and the Opioid Crisis

March 14, 2018/in Eagle Associates Staff/by Eagle Staff

The Office for Civil Rights has issued new guidance on when and how healthcare providers can share a patient’s health information with his or her family members, friends, and legal personal representatives when the patient may be in crisis and incapacitated, such as during an opioid overdose.

The following information will explain how a practice can share patient information (without patient authorization) with family members or designated friends during certain crisis situations, such as the opioid situation.

Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interest of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s healthcare or payment for care. For example, a provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.

Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety. For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.

For patients with decision-making capacity: A health care provider must give a patient the opportunity to agree or object to sharing health information with family, friends, and others involved in the individual’s care or payment for care. The provider is not permitted to share health information about patients who currently have the capacity to make their own health care decisions, and object to sharing the information (generally or with respect to specific people), unless there is a serious and imminent threat of harm to health as described above.

Decision-making incapacity may be temporary and situational, and does not have to rise to the level where another decision maker has been or will be appointed by law. If a patient regains the capacity to make health care decisions, the provider must offer the patient the opportunity to agree or object before any additional sharing of health information.

For example, a patient who arrives at an emergency room severely intoxicated or unconscious will be unable to meaningfully agree or object to information-sharing upon admission but may have sufficient capacity several hours later. Nurses and doctors may decide whether sharing information is in the patient’s best interest, and how much and what type of health information is appropriate to share with the patient’s family or close personal friends, while the patient is incapacitated so long as the information shared is related to the person’s involvement with the patient’s health care or payment for such care. If a patient’s capacity returns and the patient objects to future information sharing, the provider may still share information to prevent or lessen a serious and imminent threat to health or safety as described above.

While HIPAA provides a patient’s personal representative the right to request and obtain any information about the patient that the patient could obtain, and under state law, a personal representative designation generally authorizes the person to make healthcare decisions for the patient, there may be conflict with existing state laws regarding information related to substance abuse treatment. If a state’s law is more restrictive regarding the communication of patient information (for example, state law might state that substance abuse treatment information can only be shared with treatment personnel involved in treatment), then your practice should rely on the requirements of the more restrictive law (in this example state law).

HIPAA and Students

February 15, 2018/in Eagle Associates Staff/by Eagle Staff

Professional Students

Many practices participate with programs or schools that provide training for students that are in the process of becoming healthcare professionals. This can range from residents, interns, nurses, medical and dental assistants to numerous other titles that will eventually result in an official or graduated title in the healthcare field. Many programs require a certain number of hours to be completed in job shadowing or clinical field observations.

General Students

Some practices also provide an opportunity for non-healthcare students (i.e., not being registered in an official healthcare training program) to come in and observe what happens in a practice to see if they would like to pursue a healthcare profession. Quite often, this type of observer is a late middle or high school student. Making general observations would involve watching staff activities without direct patient involvement (i.e., not being in exam or treatment rooms or other areas where patient treatment and conversations are occurring).

Job Shadowing

This may involve direct or indirect exposure to patient information (PHI) (verbal, printed, or electronic) and possibly direct diagnosis and treatment of a patient.

Note that the Privacy Rule allows a Covered Entity (such as a practice and its providers) to use or disclose PHI, without patient authorization if the use or disclosure is for the purpose of treatment, payment, or healthcare operations. The Privacy Rule defines healthcare operations, and includes “conducting training programs in which students, trainees, or practitioners in areas of healthcare learn under supervision to practice or improve their skills as healthcare providers, training as non-healthcare professionals, accreditation, certification, licensing, or credentialing activities.”

Additionally, professional students are also defined as a member of the practice’s workforce. Workforce members include employees, volunteers, trainees, and other persons whose conduct is under the direct control of a Covered Entity, whether or not they are paid by the Covered Entity. We do recommend having professional students sign a visitor confidentiality agreement. Because they are considered workforce members, they would also need to receive your new hire HIPAA training.

Because general students are not considered to be a member of the practice’s workforce and they are not enrolled in an official healthcare training program, they would not qualify as a professional student conducting job shadowing. Note that the general student could not be considered a Business Associate of the practice because they are not providing a service for the practice and do not fit the Privacy Rule’s definition of a Business Associate. If a general student were to be exposed to PHI and/or involved in direct diagnosis and treatment of a patient, the practice would need a signed authorization from each patient that the general student would have involvement with during their observation.

Courtesy Note

The practice should make it a policy to explain to patients who the student is (professional or general), the purpose of their involvement, and ask the patient if there are any objections. The student should leave the room if the patient objects to the involvement.