A Business Associate is a person or organization, other than an employee of a covered entity, who performs functions or provides services related to creating, receiving, maintaining, or transmitting Protected Health Information (PHI) on behalf of your organization.
Remember!: With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.
A written contract with your Business Associate must:
Detail the uses and disclosures of PHI the Business Associate may make
Require that the Business Associate safeguard PHI
In other words, if any one person or vendor has potential access to private health information, you need to hold them accountable to the same high standards as you are held accountable.
By now, you know that international ransomware attackers have hit health systems in the United States. While it’s up to the techs within your organization to apply security measures, it’s everyone’s job to thwart thieves by recognizing and avoiding their traps - often hidden in seemingly harmless emails.
Keep in mind that hackers are smart, and it’s their business to fool even the most conscientious employees in close proximity to patient information. That’s why it’s important to know the warning signs of ransomware.
Let’s start with some basics pertaining to email:
Of course the goal is to avoid the schemes of hackers, who typically “kidnap” information with the promise of releasing it back to its rightful owner in exchange for money. A joint study conducted by several security firms estimates that creators of one form of ransomware -- called CryptoWall 3.0 - have extracted more than $325 million from victims since January 2015.
In the event you fall victim to a ransomware scheme, you should know the tell-tale signs of being hacked so that you can seek help right away. One common scenario is that you click on a link or open an attachment and immediately realize it is suspicious. Get help, even if you’re not 100 percent sure it’s a problem.
Other indicators of a ransomware include:
If you do not need remote access to a database containing patient information, disable the service on your computer. If you do need remote access, use it only as necessary. And make sure your password is next to impossible to figure out. By now you may wonder what the odds are that you may encounter a ransomware threat. Well, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015!
That is why everyone needs to have an eagle eye out for the crooks.
Here are just a few other things to keep in mind:
Simple safety practices on the part of all can thwart thieves so the can’t do their dirty work. That’s the goal -- and it takes a community of dedicated workers to achieve it.
Note: Information included in this post has been compiled from email alerts distributed by the U.S. Office for Civil Rights (OCR) from May 12 through May 16, in response to interational threats impacting healthcare. Reference material includes: February 2, 2016, and March 30, 2016 cyber awareness updates, and a February 2017 newsletter, all from OCR, and a Ransomware Fact Sheet from the U. S. Department of Health and Human Services.
In an unprecedented memo to state survey and credentialing agencies earlier this month, the Centers for Medicare & Medicaid Services directed state survey teams to begin enforcing federal privacy regulations to protect patients from social media abuses. The memo cites recent media reports as impetus for the crackdown.
In its memo, dated Aug. 5, 2016, CMS orders state survey teams to review nursing home policies and procedures related to social media abuses beginning in September, and continuing until all skilled nursing homes have been inspected. The memo points out that staff training alone is not enough, and that compliance must include plans for implementing daily practices that protect residents’ privacy. The memo defines “staff” as employees, consultants, contractors, volunteers and others who provide care services to residents.
Indeed, a growing number of reports are exposing horrific examples of staff members taking embarrassing photos and videos of residents, and then sharing them with friends.
ProPublica and the Washington Post have been especially out front on this issue. Here is some background to give you an idea of what is taking place:
In December 2015, reports co-published by ProPublica and the Washington Post revealed startling social media abuses within long-term care facilities. Indeed, the findings initially documented 37 incidents since 2012, exposing nursing home workers across the country for posting embarrassing photos of elderly residents on social media. In some cases, residents were partially or completely naked. At least 16 cases involved Snapchat, a social media platform where photos appear a few seconds, and then disappear.
Details of the incidents came from government reports, court cases and stories in the media.
An excerpt from one report on the ProPublica website:
“In February 2014, a nursing assistant at Prestige Post-Acute and Rehab Center in Centralia, Wash., sent a co-worker a Snapchat video of a resident sitting on a bedside portable toilet with her pants below her knees while laughing and singing.”
This February at Autumn Care Center in Newark, Ohio, a nursing assistant recorded a video of residents lying in bed as they were coached to say, ‘I’m in love with the coco,’ the lyrics of a gangster rap song (‘coco’ is slang for cocaine). Across a female resident’s chest was a banner that read, ‘Got these hoes trained.’ It was shared on Snapchat.”
In the latter case, the woman’s son told federal investigators that his mother had worked as a church secretary for 30 years, and would have been mortified.
In some cases, employees have faced criminal charges.
Meanwhile, in July, the U.S. Office for Civil Rights announced that federal audits have moved into “high gear” under the Health Information Portability and Accountability Act (HIPAA). Those federal audits are in addition to the inspections that state survey teams have now been ordered to conduct.
By Diane Evans
Publisher, MyHIPAA Guide
Patients may have more rights over their health records than you realize.
Under today’s privacy rules, consent entails far more than a “check-the-box” exercise as in the past. Yet, according to government sources, an estimated 27% of Americans aren’t even aware of their basic right to electronic copies of their medical records.
In a public awareness effort, the feds recently released information, including videos, to educate the public so people can make choices based on personal preferences.
Meanwhile, here are some of the key points to keep in mind, based on information in a model Patient Privacy Notice published by the federal government:
· Patients are permitted to see, or get an electronic or paper copy, of their medical record and other health information a doctor has about them. Generally patients should expect to have copies of their records within 30 days of a request, and they may be charged a reasonable fee, based on allowable calculations.
· Patients may ask their doctor to correct health information they believe is incorrect or incomplete. The doctor may say no, but should offer a written explanation of why within 60 days.
· Patients may ask for a list of the times their health information has been shared, who received it and why, going back six years..
· If a patient pays out-of-pocket in full for a service or health care item, the patient can ask a doctor not to share that information with the patient’s health insurer. The doctor should say yes unless a law requires the sharing of certain information.
· If a patient has a legal guardian, or has given someone medical power of attorney, that person can exercise the patient’s rights and make choices about his or her health information.
In addition, a patient can ask to be contacted in a specific way, such as at an office phone or at a different mailing address. In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients. For example, a patient may request that appointment reminders be left on their work voicemail rather than home phone voicemail.
For those who prefer email communications, healthcare providers may send unencrypted emails. However, the patient should consent to unsecured emails based on an understanding of the risks.
There are certain things that HIPAA does not do, and these limitations should be understood as well, as detailed in a federally produced Fact Sheet titled Medical Privacy of Protected Health Information.
For example, the Fact Sheet points out tat healthcare providers can share protected health information, without a patient’s permission, with:
· Other professionals who are treating that individual;;
· Health plans and other entities for billing and payment purposes;
· Certain public health and safety officials, for situations such as disease prevention, product recalls, suspected abuse, neglect or domestic violence.
In addition, the Fact Sheet notes:
· HIPAA does not prevent calls or visits to hospitals by a patient’s family or friends, the clergy, or anyone else. As long as the patient does not object, health care professionals may provide information to a patient’s family, friends, or anyone else identified by a patient as involved in his or her care.
· Unless a patient objects, basic information such as the patient’s phone and room number may appear in a hospital directory.
· Members of the clergy may access a patient’s religious affiliation if provided by the patient, and they do not have to ask for patients by name.
· If a patient is incapacitated, healthcare providers may share information with a patient’s family or friends if they believe doing so is in the patient’s best interest.
One other thing to keep in mind: Information sometimes slips out in ways that do not violate federal privacy rules.HIPAA does not eliminate all so-called “incidental disclosures” of patient information. Incidental disclosures are considered acceptable if a healthcare provider has policies and procedures in place to reasonably safeguard protected health information. An incidental disclosure might happen if a hospital visitor overhears a provider’s confidential conversation taking place, or if someone glimpses a patient’s name on a sign-in sheet or nursing station whiteboard.
Throughout its published materials, the federal government clearly acknowledges that no one healthcare provider can totally eliminate the risk of unauthorized disclosures. Privacy rules set out to reduce risk to the greatest extent reasonably possible.
Here are resources to help clarify the rights of patients under HIPAA Rules:
Model Patient Privacy Notice, produced by the federal government, and containing a listing of your rights.
Explanation of how your doctor may calculate fees charged for copies of your health records.
In its Guide to Privacy and Security of Electronic Health Information, the feds tell health care providers they “must accommodate reasonable requests” from patients.
This Fact Sheet, titled Medical Privacy of Protected Health Information, offers a good overview of patient rights.
To learn more about incidental disclosures that are permissible under HIPAA, click here.
Some additional things to be aware of:
Page 5634 of the Privacy Rule states that: “Covered entities are permitted to send an individual unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.”
The important thing is the patients/guardians are advised of risks, and that they consent based on personal preference.
Also, be aware of this provision on Page 5634 of the Privacy Rule:
“Covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
Read about the first criminal charges under HIPAA law, in a commentary by MyHIPAA Guide Publisher Diane Evans, in the June 2016 issue of Compliance Today:
ProPublicia points to the exceptions to patient privacy regulations, and one women's experience in checking her own paternity test results -- and seeing results for 6,000 others as well:
Send us your questions via the forum, and we'll do the reporting to get answers.
AHIMA survey results on errors in matching patients to their electronic health records:
The Director of Infomatics at the University of South California points to patient risks as a result of duplicate records in Electronic Health Records systems:
Send us your questions relating to HIPAA compliance requirements via the forum, and we'll do the reporting to get answers.
Fallout of Drug Company Bust: 64-year-old Doctor Faces Charges, Whistleblowers share $22.9 million
By Diane Evans, Publisher, MyHIPAA Guide – Nov. 6, 2015
The story of pharmaceutical company Warner Chilcott reads like a racketeering case. It also points to the future potential of patient privacy laws as a hammer in criminal cases, effecting local physicians as well as large providers.
In a precedent-setting case, a Massachusetts physician now faces federal charges for allegedly taking money and meals from the drug company Warner Chilcott, with one charge relating to a criminal violation of patient privacy under the Health Insurance Portability and Accountability Act (HIPAA).
Last month, Warner Chilcott pleaded guilty to health care fraud and agreed to pay $125 million resulting from the illegal promotion of its drug brands. A blog post, published Nov. 5 on the website of the National Law Review, noted that the case should be of great interest to the health care community for the “new twist’’ of a criminal charge under HIPAA. “These HIPAA violations could result in prison sentences, significant fines and exclusion from the Medicare program,” the post stated.
According to the federal indictment, Rita Luthra, a physician in Longmeadow, Mass., received $23,500 in 2010 and 2011 to prescribe the osteoporosis drugs Actonel and Atelvia, manufactured by Warner Chilcott. On at least 31 occasions, Warner Chilcott sales representatives allegedly brought food into Luthra’s medical office for Luthra and her staff, and paid Luthra $750 to talk with her for 25-30 minutes while she ate.
In addition, Luthra allegedly allowed a Warner Chilcott sales representative to access protected health information in her patient’s medical files in order to submit prior authorizations for Atelvia.
“Doctors’ medical judgment should be based on what is best for the patient, and not clouded by expensive meals and other pharmaceutical company kickbacks,” said U.S. Attorney Carmen M. Ortiz of the District of Massachusetts, in an an Oct. 29 statement.
According to allegations:
Warner Chilcott sales reps, at the direction of company managers, gave money, meals and other remuneration tied to so-called “Medical Education Events.” These events, often at expensive restaurants, became a vehicle for paying physicians for prescribing drugs sold by Warner Chilcott. The company enlisted high-prescribing physicians as “speakers,” even when they did not actually speak about any clinical topics. In some instances, Warner Chilcott informed “speakers” that they would not be paid for subsequent events unless they prescribed an increased volume of the company’s drug brands.
Under the terms of the plea agreement, Warner Chilcott will pay a criminal fine of $22.94 million.
Under a civil settlement agreement, the company will pay $102.06 million to the federal government and states to resolve claims. The civil settlement relates to allegations that Warner Chilcott violated the federal Anti-Kickback Statute by making illegal payments to prescribing physicians in connection with the so-called “Medical Education Events” and speaker programs.
The civil settlement resolves a lawsuit filed under whistleblower provisions of the False Claims Act, under which private individuals can sue on behalf of the government for false claims and share in any recovery. As part of the settlement, whistleblowers will receive about $22.9 million from the federal share of the civil recovery.
Government efforts to prevent health care fraud are well documented, especially through the work of the Health Care Fraud Prevention and Enforcement Action Team (HEAT) initiative, started in 2009. Now the Warner Chilcott case adds HIPAA to the toolkit of criminal enforcement.
Remember, Al Capone didn’t go down for organizing the St. Valentine’s Day Massacre. He went to prison in 1931 for something far less: Tax evasion.
AKRON, Ohio – November 3, 2015 -- For the first time, a low-cost, online service, at www.MyHIPAAGuide.com, gives healthcare providers direct access to a library of federal government toolkits, videos, games and tutorials designed to help achieve compliance with updated HIPAA Privacy and Security Rules.
The new service can benefit organizations of all sizes, but can be especially helpful to rural organizations and other small- and medium-size providers facing government reporting requirements for the first time. MyHIPAA Guide includes: