Home About Blog Contact Us Put My HIPAA On Autopilot! Login

Planet HIPAA Blog

The Complete Guide To Reporting A Healthcare Data Breach The Right Way

Reporting a Data Breach to HHS – Collect All the Information the First time

As of today, there have been 1694 data breaches reported to The Department of Health and Human Services, which have impacted over 168 million individuals. The numbers continue to increase at a rapid pace with a clear concern for data breaches in 2016 and continuing forward into 2017. The final breach notification rule requires that healthcare organizations conduct a data breach investigation on each and every unauthorized use and disclosure of protected health information to determine if there is a “low probability that the information is compromised.” What does that actually mean and how do you prove “low probability?”

To start, a Breach risk assessment should be completed on each unauthorized use or disclosure of protected health information. As part of the breach risk assessment, four objectives questions must be asked and answered Every Time an investigation is...

Continue Reading...

Could Your Organization’s Website Reveal Your HIPAA Non-compliance?

Did you know that your organization’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look at your organization’s website could reveal to a HIPAA auditor that your organization is struggling with HIPAA compliance. Wondering what I am referring to – The Notice of Privacy Practices! The regulations state that your organization must ensure that the most current version of your Notice of Privacy Practices is posted on the organization’s website (if one exists). Here is the specific language of the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your organization’s website (or another organization). Try and find the Notice...

Continue Reading...

No HIPAA Audit Request Letter Last Week? Does That Mean I’m Safe?

On Monday, July 11, 2016, the Department of Health and Human Services’ Office of Civil Rights (OCR) sent out 167 e-mails for the first round selection of the HIPAA Desk Audits. Didn’t receive anything, take a big sigh of relief; however, don’t think that this means you no longer have to focus on HIPAA compliance or worry about an audit. Just because you were not picked, doesn’t mean your organization will not be selected for future audits or that a complaint or data breach won’t open an investigation with the OCR.

In June 2016, details regarding the OCR’s budget for 2017 were released. The OCR has a $43 million budget, in which they plan on increasing the team of auditors for the continuation of the HIPAA compliance audits. The healthcare industry needs to be prepared that HIPAA audits are going to be a constant in our world going forward. Also, remember that the goal of the audits is to assess compliance, determine new and upcoming concerns...

Continue Reading...

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under...

Continue Reading...

What To Expect When You Are Expecting… A HIPAA Audit

Searching through your email at the start of the workday, and there it is, staring straight at you – an e-mail from the Department of Health and Human Services’ Office for Civil Rights (OCR) asking questions regarding your contact for the HIPAA audits. Can you believe it?? The first contact with the OCR regarding HIPAA Audits!! What are they asking? What can you expect?

E-mail #1 – Audit Contact Verification

The first point of contact that you will receive from OCR is an e-mail requesting that you verify who your contact is for the HIPAA Audit Program. The challenge with this e-mail is it is not easy to understand or determine who this e-mail will go to within your organization. Additionally, many organizations are finding that this e-mail is ending up in junk mail or spam. Lessons learned – have all leadership check e-mails regularly (including junk and spam) and have IT run scans through e-mail searching for e-mails from the OCR.

Audit Contact...

Continue Reading...

Could Your Business Associates Cost You Millions?

In the past couple of weeks, the Department of Health and Human Services’ Office for Civil Rights (OCR) has shined a spotlight on the importance of relationships and written agreements between covered entities and business associates. Business associates are third party vendors that help covered entities with day to day operations. Sample business associates are:

  • Third party billing or coding company
  • Third party shredding company
  • Accounting firm that gets access to protected health information
  • Electronic health record vendor
  • Third party secure messaging company
  • Third party information technology organization
  • Health Information Exchange
  • E-prescribing gateway

Under HIPAA, business associates are defined as any third party vendor that performs functions or activities on behalf of the healthcare organization which includes the use or disclosure of protected health information. The activities and functions that are performed typically revolve around the creation,...

Continue Reading...

HIPAA Audits Grow Teeth: Why Dental Organizations Can No Longer Ignore Them

2016 is going to be a monumental year for HIPAA compliance. The Phase 2 HIPAA audits will be starting, and increased HIPAA enforcement is a guarantee. So far in 2016, we have seen multiple fines and HIPAA compliance enforcement has set the stage for the remainder of 2016. For many years, HIPAA compliance has been pushed off and ignored; however, if the first 3 months of 2016 is telling the story, now is the time to ensure your dental practice has established proper policies, procedures, and practices for HIPAA compliance. Don’t get tangled up in a HIPAA audit with no confidence in your dental practice’s compliance with HIPAA!

It is easy to think that your practice is too small to get selected for a HIPAA audit or that audits will focus on large, integrated healthcare systems; however, looking at the findings from the pilot audits indicate that dental practices are just as desirable for a HIPAA audit as any other type of organization.

Some key findings from the HIPAA...

Continue Reading...

Patient Testimonials: Are They Putting Your HIPAA Compliance At Risk?

A good client or patient experience can help boost your healthcare organization’s reputation and encourage others to seek your services. In the world of online advertising, posting the testimonial to your organization’s website or Facebook account might be the first step to promote the great services that your organization offers and the satisfaction of your patients and clients!

Before you post that client testimonial – STOP!!!

Did you get a signed authorization from the patient to use their information as a testimonial? One of the most monumental stories from 2016 so far was a $25,000 HIPAA enforcement penalty to a physical therapy organization for not having appropriate client authorization for the use of protected health information for client testimonials posted on a website. The violations from posting full patient names with full face photography without written authorization included:

  • Failure to safeguard protected health information
  • Impermissible...
Continue Reading...

If You Don’t Update Your HIPAA Policies And Procedures Today, You’ll Hate Yourself Later.

When you think of HIPAA practices in your organization, the following statements may cross your mind:

"We have a process for that, it is just not documented”

“We are good at protecting our patient’s privacy, we don’t need a written compliance manual”

“We did some items that would qualify to meet those requirements, but we didn’t know we had to document”

“We have a high level of HIPAA compliance, but just don’t have documented policies and procedures”

While all these statements may be true, HIPAA requires documentation and proof that you are complying with the regulations. Documentation and proof of compliance are established through the creation and implementation of required HIPAA policies and procedures. In both the HIPAA Privacy Rule and the HIPAA Security rule, regulations exist that require organizations to implement written policies and procedures to comply with the regulations.

  • Privacy Rule Documentation...
Continue Reading...

6 Simple Steps To Avoid The HIPAA Wall Of Shame In 2016

Phase 2 HIPAA Audits: Coming In 2016 – Are You Prepared?

We’ve seen the headlines across the healthcare industry over the past several months, the Department of Health and Human Services’ Office for Civil Rights (OCR) is starting up the next round of HIPAA audits. While the date is not set in stone, it is predicted that the audits will begin by the end of the 1st Quarter of 2016. Now is the time for all practices to evaluate their current compliance level and implement changes in areas of deficiencies within the HIPAA regulations.

What Will The Phase 2 HIPAA Audits Look Like?

While the full plan of the Phase 2 HIPAA Audits has not been released in detail, we know key elements of the plan for the next round of HIPAA Audits. Phase 2 HIPAA audits will look and feel different than the HIPAA Pilot Audits that were conducted in 2011-2012. The first step in the Phase 2 HIPAA audits will be to conduct a pre-audit survey (Desk Based Audits) on up to 1,200 HIPAA covered...

Continue Reading...
1 2

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.