Planet HIPAA Blog

What Do Dental Clinics, Prison & HIPAA Have In Common?

A receptionist from a New York Dental Practice was recently sentenced to a 2 – 6 year Jail Term for accessing and disclosing protected health information from the Dental Clinic where she worked. 

For a 6-month period of time, the dental receptionist accessed patient information from the dental practice and disclosed it to a third party via unsecured email.  The third party then used the information to steal identities of the patients. 

You don’t want to think that this scenario will ever happen to your practice or that your employees will ever go rogue. Unfotunately, something like this could happen again and if you don’t have the right processes established or safeguards implemented, your ability to quickly and appropriately respond can be delayed.

Employees snooping through patient medical records or stealing patient information is a big HIPAA risk that needs to be addressed within a practice.  Workforce members causing HIPAA violations is one...

Continue Reading...

HIPAA Data Breaches in 2017 – Another Record Breaking Year!

Unfortunately as promised, 2017 brought many challenges to properly protecting patient information in healthcare. We saw a record number of data breaches in 2016 with cybersecurity being on a fast and furious rise. In 2017, the trend continued with many healthcare organizations being hit with different cybersecurity attacks, resulting in data breaches. However, on top of the increase in cybersecurity issues, many other reasons for data breaches emerged. A total of 340 large data breaches (500+ individuals impacted) were reported in 2017 impacting 4,977,655 individuals!

Some key highlights from the 2017 HIPAA Data Breaches!

Healthcare providers continue to lead in the number of data breaches. This should come as no surprise as there are more healthcare providers than health plans and healthcare clearinghouses in the United States. Of the 340 large data breaches:

  • 274 were reported by covered entities (81%)
  • 49 were reported from health plans (14%)
  • 17 were reported from business...
Continue Reading...

5 Essential Steps to Ensure an Effective HIPAA Program

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to...

Continue Reading...

Here’s A Quick Way To Check If Your Website Is HIPAA Compliant

Part of being successful with the HIPAA regulations is understanding what is needed for compliance. Definitely easier said than done. The HIPAA Protocol that was published in 2016 is a great tool to evaluate your HIPAA Compliance and understand the areas that you need to work on. The HIPAA audit protocol definitely is the answer key that you can use to take the HIPAA Compliance test!

In 2016, Planet HIPAA wrote a blog “Could Your Organization’s Website Reveal Your HIPAA Non-compliance?” This blog focused on the need to look at your website to determine if your Notice of Privacy Practices is posted and current. The response to that post was amazing and many organizations reached out for more guidance and additional information regarding the Notice of Privacy Practices.

For some fun, I recently did an audit of 18 different websites to determine how the Notice of Privacy Practices was coming along and if organizations were actually posting it on their website. The...

Continue Reading...

19 Days into 2017 and 2 HIPAA Fines Later…

Well, HIPAA enforcement is getting off to an active start in 2017. While 2016 saw a record year with 13 HIPAA Enforcement fines amounting to $23.5 Million! 19 days into the New Year, OCR has published 2 HIPAA Enforcement fines amounting to $2.7 Million. It is safe to assume that we are going to see another active year with HIPAA Fines and Enforcement!

2017 HIPAA Enforcement Fine #1 – Lack of Timely HIPAA Breach Notification – $475,000

Presence Health found out about missing operating room paper schedules containing 836 patient’s protected health information on October 22, 2013. Notification was made to the Department of Health and Human Services on January 31, 2014 – approximately 101 days later. This was definitely a flag and the Office for Civil Rights (OCR) went in to investigate the concerns. During the investigation, it was found that Presence Health failed to write timely notification to those affected by data breaches on multiple occasions. In...

Continue Reading...

Does the 2016 HIPAA Audit Protocol Set New Expectations for HIPAA Policies and Procedures?

The HIPAA Privacy, Security, and Breach Notification Regulations require healthcare organizations to establish and create policies and procedures to help demonstrate compliance with the regulations. An organization can have well-established security practices or appropriately provide a patient of a copy of medical records, but if the organization doesn’t have a policy and procedure written for that specific requirement, they can be found out of compliance with the HIPAA regulations. Why is that? Because the HIPAA regulations have specific requirements that mandate the creation of written policies and procedures.

The specific regulations are as follows:

  • Privacy Rule Documentation – 164.530(i) – A covered entity must develop and implement written privacy policies and procedures that are consistent with the Privacy Rule
  • Security Rule Documentation – 164.316(b)(1) – Maintain the policies and procedures implemented to comply with the regulations in written...
Continue Reading...

The Complete Guide To Reporting A Healthcare Data Breach The Right Way

Reporting a Data Breach to HHS – Collect All the Information the First time

As of today, there have been 1694 data breaches reported to The Department of Health and Human Services, which have impacted over 168 million individuals. The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2016 and continuing forward into 2017. The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” What does that actually mean and how do you prove “low probability?”

To start, a Breach risk assessment should be completed on each unauthorized use or disclosure of protected health information. As part of the breach risk assessment, four objectives questions must be asked and answered Every Time an investigation is...

Continue Reading...

Could Your Organization’s Website Reveal Your HIPAA Non-compliance?

Did you know that your organization’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look at your organization’s website could reveal to a HIPAA auditor that your organization is struggling with HIPAA compliance. Wondering what I am referring to – The Notice of Privacy Practices! The regulations state that your organization must ensure that the most current version of your Notice of Privacy Practices is posted on the organization’s website (if one exists). Here is the specific language of the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your organization’s website (or another organization). Try and find the Notice...

Continue Reading...

No HIPAA Audit Request Letter Last Week? Does That Mean I’m Safe?

On Monday, July 11, 2016, the Department of Health and Human Services’ Office of Civil Rights (OCR) sent out 167 e-mails for the first round selection of the HIPAA Desk Audits. Didn’t receive anything, take a big sigh of relief; however, don’t think that this means you no longer have to focus on HIPAA compliance or worry about an audit. Just because you were not picked, doesn’t mean your organization will not be selected for future audits or that a complaint or data breach won’t open an investigation with the OCR.

In June 2016, details regarding the OCR’s budget for 2017 were released. The OCR has a $43 million budget, in which they plan on increasing the team of auditors for the continuation of the HIPAA compliance audits. The healthcare industry needs to be prepared that HIPAA audits are going to be a constant in our world going forward. Also, remember that the goal of the audits is to assess compliance, determine new and upcoming concerns...

Continue Reading...

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under...

Continue Reading...
1 2
Close

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.