Could Your Practice’s Website Reveal Your HIPAA Non-compliance?

By Dr. Danika Brinda, CEO, Planet HIPAA

Did you know that your practice’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look around your website could reveal to a HIPAA auditor that your practice is struggling with HIPAA compliance. Wondering what I am referring to? It’s the Notice of Privacy Practices! The regulations state that your practice must ensure that the most current version of your Notice of Privacy Practices is posted on the practice’s website (if one exists). Here is the specific language from the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your website (or another practice’s). Try and find the Notice of Privacy Practices. Were you successful or did you find something that is called Privacy Policy? If you look through the Privacy Policy, most of the time the language is something specific to the privacy policy of the website and not the Notice of Privacy Practices. Keep searching for the Notice of Privacy Practices. If you are unsuccessful at finding it, the basic elements of the regulations are not met. If you found the Notice of Privacy Practices – great work! You are compliant, right? NOT NECESSARILY!

Even with your Notice of Privacy Practices posted on your website, you must make sure that the document is your most current version and matches the one available in your office. You also must make sure it meets all the requirements that were defined in the 2013 HIPAA Privacy Regulations and the 2013 HIPAA Omnibus Rule. If any of the following three statements are true, your website revealed that you are out of compliance with HIPAA:

  1. Your Notice of Privacy Practices was not posted on your website.
  2. Your Notice of Privacy Practices was dated prior to Sept. 23, 2013.
  3. The Notice of Privacy Practices on your website isn’t the most up-to-date copy.

If you think the auditors will not be looking on your website to make sure your Notice of Privacy Practices is posted, think again. In the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, it states the covered entity must “upload the URL for the entity’s website and the URL for the posting of the entity’s notice.” In fact, the instructions for the HIPAA auditors state that they must:

“Determine whether the entity maintains a website. If so, observe the website to determine if the Notice of Privacy Practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”

Not only does it have to be posted on your website, but it must be in a location that is easy to find with an easy description!

The Notice of Privacy Practice is not a difficult area to comply with for the HIPAA regulations; however, it is a common area of non-compliance. To be compliant with this regulation, the following four items should be established:

  • Notice of Privacy Practices
  • Notice of Privacy Practices Policy and Procedure
  • Acknowledge Form of the Notice of Privacy Practices
  • Making the notice available on the practice’s website

The specific elements that need to be defined in the Notice of Privacy Practices are specifically defined in the regulations. More information can be found here.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on Sept. 5, 2016.

HIPAA Audits: Why Dental Organizations Shouldn’t Ignore the Audits

By Dr. Danika Brinda, CEO, Planet HIPAA

2016 is going to be a monumental year for HIPAA compliance. The Phase 2 HIPAA audits will be starting, and increased HIPAA enforcement is a guarantee. So far in 2016, we have seen multiple fines and HIPAA compliance enforcement that are setting the stage for the remainder of 2016. For many years, HIPAA compliance has been pushed off and ignored; however, if the first 2 months of 2016 is telling the story, now is the time to ensure your dental practice has established proper policies, procedures and practices for HIPAA compliance. Don’t get tangled up in a HIPAA audit with no confidence in your dental practice’s compliance with HIPAA!

It is easy to think that your practice is too small to get selected for a HIPAA audit or that audits will focus on large, integrated health care systems. However, looking at the findings from the pilot audits indicate that dental practices are just as desirable for a HIPAA audit as any other type of organization.

Some key findings from the HIPAA Pilot Audits are:

  • Smaller organizations tended to struggle with HIPAA compliance more than larger organizations.
  • The most common finding was that the entity was “unaware of the requirement.”
  • Of the total health care providers audited, NONE of them were 100 percent HIPAA compliant.
  • Incomplete implementation of the regulations was cited as a top finding from the audits.

We are at a stage with HIPAA compliance that the “I didn’t know” or “I was unaware” is no longer going to be an acceptable reason for non-compliance. In the past year, numerous data breaches were reported to the Department of Health and Human Services. In some of the dental data breaches reported, more than 500 individuals were impacted!

  • 2,000 individuals impacted when an unencrypted portable device was stolen from a dental provider.
  • 3,200 individuals impacted after an unencrypted server was stolen during a burglary of a dental office.
  • 7,400 individuals impacted when dental records at an off-site storage were released by the storage company to unauthorized individuals.

With proper oversight of HIPAA and appropriate physical, technical and administrative safeguards, these data breaches could have been avoided.

Another common finding is false security that the vendor of your practice management system or electronic health record has all aspects of HIPAA compliance covered. Even when a third-party solution manages a system, not all aspects of HIPAA compliance are met. Additionally, you may find that some functionality of your systems does not actually meet HIPAA compliance. For example, your systems should be able to automatically log out after a specified time of inactivity. Your vendor may be the group responsible for creating the functionality, but you are responsible for the implementation in your dental organization. If your software system doesn’t have the functionality to automatically log out of the system with inactivity, you may be out of compliance with HIPAA. Don’t assume that compliance is met — verify it!

Don’t wait until a HIPAA audit comes to your dental practice to know that you are out of compliance. Immediate action is needed if you are not confident in your HIPAA compliance. HIPAA takes more than just putting a HIPAA manual on the shelf in your dental practice. Make sure your organization takes the steps NOW and prevents a bad outcome from a HIPAA audit or showing up on the HIPAA Wall of Shame.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on April 18, 2016.

Be Cybersecure: Protect Patient Records, Avoid Fines and Safeguard Your Reputation

By David McHale, Senior Vice President and Chief Legal Officer, The Doctors Company

Cybercrime costs the U.S. economy billions of dollars each year and causes organizations to devote substantial time and resources to keeping their information secure. This is even more important for health care organizations, the most frequently attacked form of business.1 Cybercriminals target health care for two main reasons: health care organizations fail to upgrade their cybersecurity as quickly as other businesses, and criminals find personal patient information particularly valuable to exploit.

Recent cyberattacks on large health insurance companies further demonstrate cybersecurity risks. On Jan. 29, 2015, Anthem, the second largest health insurer in the United States, announced it was the victim of a sophisticated cyberattack that it believed happened over several weeks starting in December 2014.2 Reported as one of the largest attacks to date, the Anthem breach exposed the information of up to 80 million current and former members, including names, birth dates, Social Security numbers, health care IDs and addresses.3 That same day, Premera Blue Cross discovered it also was a victim of a cyberattack, with an initial attack taking place in May 2014. Cybercriminals gained unauthorized access to the information of up to 11 million Premera customers dating back to 2002, ranging from birth dates and Social Security numbers to addresses and bank account information — the second largest breach, after Anthem, in the health care industry.4

The repercussions of security breaches can be daunting. A business that suffers a breach of more than 500 records of unencrypted personal health information (PHI) must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). This is the federal body with the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines. To date, the OCR has levied more than $25 million in fines, with the largest single fine totaling $4.8 million.5 In 2014, U.S. health care data breaches cost companies an average of $314 per record — the highest of any industry.6

A health care organization’s brand and reputation also are at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.7

To help safeguard your systems, know the most common ways a breach occurs. The theft of unencrypted electronic devices or physical records is the most common method, accounting for 29 percent of breaches across all industries in the United States.2 Also common are hacking (23 percent) and public distribution of personal records (20 percent). A breach in the latter category led to the largest OCR fine to date when two affiliated hospitals accidentally made patient records public on the Internet.5

If you think you may not be fully compliant with HIPAA privacy and security rules, consider taking the following steps:

  • Identify all areas of potential vulnerability. Develop secure office processes, such as:
    • sign-in sheets that ask for only minimal information.
    • procedures for the handling and destruction of paper records.
    • policies detailing which devices are allowed to contain PHI and under what circumstances those devices may leave the office.
  • Encrypt all devices that contain PHI (laptops, desktops, thumb drives and centralized storage devices). Make sure that thumb drives are encrypted and that the encryption code is not inscribed on or included with the thumb drive. Encryption is the best way to prevent a breach.
  • Train your staff on how to protect PHI. This includes not only making sure policies and procedures are HIPAA-compliant, but also instructing staff not to openly discuss patient PHI.
  • Audit and test your physical and electronic security policies and procedures regularly, including what steps to take in case of a breach. The OCR audits entities that have had a breach, as well as those that have not. The OCR will check if you have procedures in place in case of a breach. Taking the proper steps in the event of a breach may help you avoid a fine.
  • Insure. Make sure that your practice has insurance to assist with certain costs in case of a breach.

 

References

1Visser S, Osinoff G, Hardin B, et al. Information security & data breach report—March 2014 update. Navigant. March 31, 2014. http://www.navigant.com/~/media/WWW/Site/Insights/Disputes%20Investigations/Data%20Breach%20Annual%202013_Final%20Version_March%202014%20issue%202.ashx. Accessed June 17, 2014.

2How to Access & Sign Up for Identity Theft Repair & Credit Monitoring Services. Anthem, Inc. February 13, 2015. https://www.anthemfacts.com. Accessed March 19, 2015.

3McCann E. Hackers swipe Anthem data in massive cyberattack. Healthcare IT News. February 5, 2015. http://www.healthcareitnews.com/news/hackers-swipe-anthem-data-huge-breach-attack. Accessed March 19, 2015.

4Miliard M. Premera Blue Cross hack exposes 11M. Healthcare IT News. March 18, 2015. http://www.healthcareitnews.com/news/premera-blue-cross-hack-exposes-data-11m. Accessed March 19, 2015.

5McCann E. Hospitals fined $4.8M for HIPAA violation. Government Health IT. May 9, 2014. http://www.govhealthit.com/news/hospitals-fined-48m-hipaa-violation. Accessed June 24, 2014.

6Ponemon Institute LLC. 2014 cost of data breach study: United States. May 2014. Study sponsored by IBM. http://www.accudatasystems.com/assets/2014-cost-of-a-data-breach-study.pdf. Accessed March 20, 2015.

7
Breaches affecting 500 or more individuals. U.S. Department of Health & Human Services. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html. Accessed June 23, 2014.


David McHale is The Doctors Company’s Chief Legal Officer. He holds a law degree from the University of the Pacific’s McGeorge School of Law and an MBA from the University of Illinois. He is a Certified HIPAA Compliance Officer (AIHC) and a regular presenter before insurance trade organizations and the National Association of Insurance Commissioners (NAIC).

Contributed by The Doctors Company. For more patient safety articles and practice tips, visit www.thedoctors.com/patientsafety.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each health care provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.