Tag Archive for: hipaa

Secure Text Messaging

/in /by

Due to the speed and convenience of texting, many physicians use this form of communication to consult with other providers, exchange lab test results, and other patient information. If text messaging is used to transmit or receive electronic protected health information (EPHI), it must be evaluated as part of the covered entity’s Security Risk Analysis. As with all transmissions of EPHI, safeguards must be in place to ensure the integrity and confidentiality of the data.

There are several secure messaging vendors in the marketplace that offer encrypted mobile applications that will secure messages sent to the provider’s phone, responses sent back, as well as data at rest. Data that is properly encrypted is considered “secure” by Security Rule standards.  This means that the data has been rendered unusable, unreadable or indecipherable to unauthorized persons or entities.

In addition to the threat of malware or interception of text messages, the risks posed by the theft or loss of a smartphone must also be considered.  If the EPHI stored on the device is not properly secured, the theft or loss could result in a privacy breach that would not only require notification of affected patients and the Department of Health and Human Services, but also the media if the breach were large enough.

All text messages containing EPHI, whether encrypted or not, should be managed with the following minimum safeguards:

  • Information that individually identifies a patient or a patient’s specific condition should be limited to the minimum necessary.
  • Immediate reporting of a lost or stolen device must be encouraged so that actions can be taken to secure the device remotely, and/or to provide notice to patients if the EPHI was unsecured.
  • Any EPHI that is received via text, that is used to inform a decision regarding a patient’s care, must be annotated in the patient’s medical record.
  • Text messages should be deleted on a regular basis in order to limit the amount of information stored on a device. If the information is no longer needed, storing it only increases the risk of a large privacy breach, etc.
  • A Business Associate Agreement is necessary with any vendor that stores text messages (containing EPHI), such as wireless carriers or telecommunication vendors.

The covered entity’s Security Officer should maintain a list of all mobile devices that are used to send/receive text messages containing patient information so that he/she can ensure that the information is properly removed from the devices prior to re-use, donation or disposal.

Failure to Establish Business Associate Agreements

/in /by

The Office for Civil Rights (OCR) has taken a recent enforcement action concerning the failure to establish business associate agreements in a timely manner. The following information overviews OCR actions with a practice that failed to establish a Business Associate Agreement (BAA) with one of its vendors for several years.

What Happened…

In August 2015, OCR initiated a compliance review of the practice following an investigation of a Business Associate (BA) that stored records containing protected health information (PHI) for the practice. While the practice began disclosing PHI to the BA in 2003, neither party could produce a BAA signed prior to October 2015.  So, while the practice had a current BAA (since 2015) it was discovered that they began using the vendor’s services in 2003 without a BAA.

Citations…

The citation from the failure included:

  1. Practice failed to obtain satisfactory assurance (in the form of a BAA) that vendor would appropriately safeguard patient information (PHI) of the practice.
  2. Practice impermissibly disclosed PHI to vendor without satisfactory assurances (in the form of a BAA) that the vendor would appropriately safeguard PHI.

Results…

As a result of the citations, the practice had to agree to pay a Resolution Amount (i.e., fine or penalty) of $31,000 for failing to have a BAA with the vendor, in addition to complying with a Corrective Action Plan (CAP) that OCR imposed.

Lessons learned…

It is important to ensure that a BAA is established with each new vendor that fits the definition of a business associate, as soon as service is initiated with the vendor.  A practice may designate one person to fulfill this responsibility, or ensure that each workforce member who has the authority to engage the services of a business associate is trained to obtain a BAA.  One person should be designated to periodically review records to ensure that required business associate agreements are in place (e.g., once per year).

For more information about this enforcement action, please see the article titled Business Associate Agreement Enforcement in your June copy of the Advisor®.

Phishing Scam

/in /by

On November 28, 2016, the Office for Civil Rights (OCR) released a bulletin alerting covered entities and business associates of a phishing email scam that is circulating. Please read the contents of the notice below, and be alert for a possible phishing email that you could receive.

It has come to our attention that a phishing email is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates. 

The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services. 

In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. We take the unauthorized use of this material by this firm very seriously. In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us via email at OSOCRAudit@hhs.gov.” 

OCR would like to further share that this phishing email originates from the email address OSOCRAudit@hhs‑gov.us  and directs individuals to a URL at http://www.hhs‑gov.us. This is a subtle difference from the official email address for our HIPAA audit program, OSOCRAudit@hhs.gov, but such subtlety is typical in phishing scams.

If you receive an email, and are unsure whether it is from OCR, check the sending email address. If the email is legitimately from OCR, the sending email address will end with @hhs.gov.  Email notices from OCR regarding its audit program have generally come from the OSOCRAudit@hhs.gov email address. Contact Eagle Associates, Inc. at (800) 777-2337 or via email at info@eagleassociates.net if you have any questions.

OCR Enforcing Limits on Medical Records Fees

/in /by

The Office for Civil Rights (OCR) has published new information emphasizing patient right of access to records, along with fees that may be charged for printed and electronic copies.  It stresses that medical records fees must be cost-based and reasonable.

The Privacy Rule permits a covered entity to impose a reasonable, cost-based fee to provide the individual (or the individual’s personal representative) with a copy of the individual’s PHI, or to direct the copy to a designated third party. The fee may include only the cost of certain labor, supplies, and postage as outlined below in a direct quotation of the OCR:

A covered entity may include reasonable labor costs associated only with the: (1) labor for copying the PHI requested by the individual, whether in paper or electronic form; and (2) labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged.

For example, labor for copying may include labor associated with the following, as necessary to copy and deliver the PHI in the form and format and manner requested or agreed to by the individual:

  • Photocopying paper PHI.
  • Scanning paper PHI into an electronic format.
  • Converting electronic information in one format to the format requested by or agreed to by the individual.
  • Transferring (e.g., uploading, downloading, attaching, burning) electronic PHI from a covered entity’s system to a web-based portal (where the PHI is not already maintained in or accessible through the portal), portable media, e-mail, app, personal health record, or other manner of delivery of the PHI.
  • Creating and executing a mailing or e-mail with the responsive PHI

While we allow labor costs for these limited activities, we note that as technology evolves and processes for converting and transferring files and formats become more automated, we expect labor costs to disappear or at least diminish in many cases.

In contrast, labor for copying does not include labor costs associated with:

  • Reviewing the request for access.
  • Searching for, retrieving, and otherwise preparing the responsive information for copying.  This includes labor to locate the appropriate designated record sets about the individual, to review the records to identify the PHI that is responsive to the request and to ensure the information relates to the correct individual, and to segregate, collect, compile, and otherwise prepare the responsive information for copying.

Further, while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge.  While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee.  Providing individuals with access to their health information is a necessary component of delivering and paying for health care. We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.

For complete information regarding limits on medical records fees, refer to the article on page two of the July issue of the American Practice Advisor® titled “OCR Emphasizes Limits on Medical Records Fees.”

How to Respond to OCR Audit Requests

/in /by

Eagle Associates has prepared an article and a short video, both of which provide instruction on responding to communications from OCR regarding the audit program. You can either read the article, or watch the video.  You do not need to view both, as the content is the same.  Contact our office at (800) 777-2337 if you have any questions regarding the audit process.

Watch the video:

Preparing for a HIPAA Audit

 

Read the text:

HIPAA Audit Notices

Many practices have received an email from the Office for Civil Rights (OCR) asking to verify the practice information and contact.  The notice indicates that the practice is being entered into a pool of potential auditees for the HIPAA Privacy, Security and Breach Notification audit program.

It is important for your practice to respond to the notice in the time frame specified.  Failure to respond will not protect you from being audited, as OCR has indicated that it will use publicly available information to obtain the data it needs.  Responding to the notice does NOT mean you have been selected for an audit.

Communications from OCR will be sent via email and may be incorrectly classified as spam. If your entity’s spam filtering and virus protection are automatically enabled, OCR expects you to check your junk or spam email folder for emails from OCR.

Once your contact information has been verified, you will receive an email to complete a screening questionnaire.  Again, it is very important for you to complete the questionnaire in the specified time frame.  As with responding to the contact notice, receiving a questionnaire does NOT mean you have been selected for an audit as of yet.

Notice Content

The content of the verification email from OCR is as follows:

“According to our records, you are the primary contact OCR should use to reach Associated Surgeons and Physicians regarding its potential inclusion in the HIPAA Privacy, Security, and Breach Notification Rules Audit Program. We are attempting to verify this email address.

Please respond within fourteen (14) days as instructed below to either confirm your identity and email address or instead provide updated primary and secondary contact information.

If you ARE the primary contact for this organization, please select the following link YES. Once the link is selected, a browser window will open and your response will be recorded.

If you ARE NOT the primary contact for this organization, please select the following link NO. Once the link is selected, a browser window will open and your response will be recorded.

Thank you for your cooperation. If we do not receive a response from you we will use this email address for future communications with this entity. Failure to respond will not shield your organization from selection.”

Screening Questionnaire

The screening questionnaire is intended to gather data about the size, types, and operations of potential auditees for the HIPAA Privacy, Security and Breach Notification Audit Program. The data will be used with other information to help OCR select entities that reflect a variety of types, sizes, and locations for the next phase of the Audit Program.

Audit Selection

Covered entities and business associates will be notified of their selection for an audit on a rolling basis.

Please be aware that if your entity is selected for an audit, you will have ten (10) business days to respond with the requested documentation.

Business Associates List

When selected for an audit, selected entities must submit a list of all current business associates, with up to date contact information, within the 10-day response period.  OCR will use this information to compile a list of potential business associate subjects to audit.  OCR encourages entities to develop the business associate listing in advance to be able to meet the submission requirements.  The business associate listing should be submitted as a spreadsheet with columns that contain the name of the entity, type of service(s) provided, primary and secondary contact names, titles, emails, phone numbers, address, and website, if any.

A template for the spreadsheet is available at this link.

Desk/On-Site Audits

If you are selected for an audit, OCR will either:

  1. conduct a focused desk audit (an OCR review of submitted documentation) to determine evidence of your compliance with selected provisions of the Rules; or
  2. conduct a comprehensive on-site review of your compliance with applicable requirements of the HIPAA Rules, or
  3. follow up a desk audit with an on-site audit.

The audit protocols, which contain criteria the auditors will use, are available for review at this link.

OCR will assess whether to open a separate compliance review in cases where an audit indicates serious compliance issues or where a covered entity or business associate fails to cooperate with an audit.

Preparing for a Potential Audit

There are four major elements to demonstrating that you have made a reasonable effort to comply with HIPAA requirements:

  • Ensure that you have written policies addressing all of the requirements listed in HIPAA’s Privacy, Security, and Breach Notification Rules.
  • Document a self-auditing or other process that will prove your policies have been implemented (i.e., they are followed by members of the workforce) and that you maintain them in accordance with published updates for each Rule.
  • Ensure that you have documented training (content and participation) for new hire and annual training with the Privacy, Security, and Breach Notification Rules.
  • Ensure that you have documentation of annual Security Risk Analysis as required by the Security Rule.

Resources Available from Eagle Associates

Eagle Associates provides a complete solution for ensuring compliance with HIPAA requirements.  Our HIPAA Compliance System includes:

  • A completely written HIPAA policy manual with a full complement of HIPAA forms– this is not a fill-in-the-blank workbook.  We update the policy manual each year to ensure compliance with changes in regulations and new interpretations.
  • Eagle Associates is currently reviewing the OCR Audit Protocol to determine whether any policy revisions are necessary in advance of the audits.
  • An annual audit plan tool is available for completion to provide proof of policy implementation and regulatory updates.
  • Clients enrolled in Eagle’s Management Consulting Program will have documentation using monthly compliance activities instead of the annual audit plan.
  • Training materials and documentation for new hire and annual training for workforce members.
  • The HIPAA Compliance System includes a complete Security Risk Analysis tool for your use, and is updated each year.
  • Eagle provides Live Support for subscribing clients– this provides unlimited support at no additional cost for a practice.  Clients can call or email as often as needed with questions, problems, or incidents.

If you already subscribe to the HIPAA Compliance System, you will be notified of any necessary policy revisions in the coming weeks.  Remember that the above-mentioned resources are available in the Member Services area of our web site.  In the front of your HIPAA Policy manual, there is instruction on how to log in to Member Services.

Please contact our office at (800) 777-2337 if you have any questions, or need assistance.

Compliance is More than Training

/in /by

The following information provides a brief roadmap to achieving compliance, and is intended to help you understand the need to do more than employee training in order to avoid enforcement action from regulatory agencies.

Many practices view compliance training as the primary element for meeting regulatory requirements.  Although training is a key component, the reality is that compliance requires more than training.  Here are the basic major elements for ensuring compliance with any set of regulations:

Written Policies – Regulations, such as HIPAA and OSHA, require that you have written policies explaining your intent and process for meeting requirements.

Updates – Additionally, regulatory agencies require that you monitor for changes, new requirements, and new interpretations to ensure your policies remain current.

Training – All regulations include various requirements ranging from initial or new hire training to annual training on certain key elements.

Documentation – Records or documentation must be maintained.

Active Program – Having an active compliance program is a key element that you will not find specifically stated in a regulation, but can prevent the practice from being penalized if investigated. Regular audits help to ensure policies are being followed, and will ensure your compliance program remains active and relevant.

Note – These elements are provided for in Eagle Associates’ compliance programs. However, attention to provided updates, participation in employee training and use of included compliance tools is necessary to ensure your programs remain active.