Staff working on the ground sees everything; they are the ones likely to come across a problem that demands your attention. You need to have a reporting system established that the staff knows exists to ensure the issue will be communicated.

First, you must manage reporting systems for your agency. Create a process through which staff can submit reports either anonymously or by name. Have a system in place to ensure that once a potential breach has been communicated you have the tools ready to complete an investigation efficiently.

Remember! Review whistleblower reports regularly! Monitor to make sure investigations take place in a timely manner and are resolved.

Having a reporting system in place is only half the battle. You have to also make sure your staff:

Understands yourorganization's reporting system, and Does not fear retaliation for reporting.

Make the duty to report a part of your agency's culture. Promote awareness and understanding of the availability of whistleblower reporting and other resources your agency offers. Also promote your agency's non-retaliation policies. Make these policies known to staff in new-hire orientation and annual training, on your website, in staff memos and through other ways you communicate with staff.

Keep in mind! Communication is a two-way street. Creating a reporting system is meaningless if staff does not know to use it!

For more information, check out the section on Preventing Breaches on page 26 of the MyHIPAA Guide Compliance Manual. MyHIPAA Guide subscribers may access available templates for security incident reports and incident investigations under Appendix E of the Security Policies and Procedures template on Step 3 of the MyHIPAA Guide website.

Published in Blog

At the recent annual conference of the Association of Professional Developmental Disability Administrators (APDDA), we had the pleasure of hearing from administrators from facilities in Corpus Christi and San Antonio, Texas and Miami, Florida who spoke about their experiences preparing for and recovering from Hurricane Harvey and Hurricane Irma last fall. Part of building an emergency preparedness plan includes making provisions to meet the needs of residents with disabilities in the event of an evacuation.

But! Even in an emergency preparedness plan, a resident's health information is still protected by the HIPAA Privacy Rule.

Check it out! The Department of Health and Human Services offers a great interactive tool, The HIPAA Privacy Decision Tool, that through a series of questions helps you determine how the HIPAA Privacy Rule would apply in specific emergency situations (it's available as a flowchart, too!). Other emergency preparedness resources are also available through the HHS site.

Published in Blog

By now, you know that international ransomware attackers have hit health systems in the United States. While it’s up to the techs within your organization to apply security measures, it’s everyone’s job to thwart thieves by recognizing and avoiding their traps - often hidden in seemingly harmless emails.

Keep in mind that hackers are smart, and it’s their business to fool even the most conscientious employees in close proximity to patient information. That’s why it’s important to know the warning signs of ransomware.

Let’s start with some basics pertaining to email:

  • Beware of any kind of attachments or links within emails that are unknown to you or unsolicited. Malicious links in emails can link you directly to a malicious website the attacker uses to infect a data system. Opening an attachment can have the same effect.
  • Know that attackers may impersonate someone you know. Be extremely cautious of emails you are not expecting or that seem a little off. When in doubt, go to your supervisor or a tech before doing anything.
  • Make it a practice NOT to click on links and attachments you are not expecting.
  • If you get an automated message to update your computer’s antivirus software, click to update it. While the IT people should make sure this is done automatically, that doesn’t always happen in reality.

Of course the goal is to avoid the schemes of hackers, who typically “kidnap” information with the promise of releasing it back to its rightful owner in exchange for money. A joint study conducted by several security firms estimates that creators of one form of ransomware -- called CryptoWall 3.0 - have extracted more than $325 million from victims since January 2015.

In the event you fall victim to a ransomware scheme, you should know the tell-tale signs of being hacked so that you can seek help right away. One common scenario is that you click on a link or open an attachment and immediately realize it is suspicious. Get help, even if you’re not 100 percent sure it’s a problem.

Other indicators of a ransomware include:

  • Unusual activity on your computer for no apparent reason, due to the ransomware searching for, encrypting and removing data files, or, An inability to access certain files as the ransomware encrypts, deletes and renames and/or re-locates data.
  • Recently, attackers have been scanning the Internet for devices equipped with remote access to patient information portals. Once connected, they can try to guess passwords, or look for backdoors to gain entry. Once they’re in, they can operate just like they are logged onto your system from a monitor and keyboard.

So...

If you do not need remote access to a database containing patient information, disable the service on your computer. If you do need remote access, use it only as necessary. And make sure your password is next to impossible to figure out. By now you may wonder what the odds are that you may encounter a ransomware threat. Well, a recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a 300% increase over the 1,000 daily ransomware attacks reported in 2015!

That is why everyone needs to have an eagle eye out for the crooks.

Here are just a few other things to keep in mind:

  • Never allow a third-party to have remote access to your computer if the caller’s authenticity cannot be verified directly through your organization or a verified Business Associate.
  • Do not trust unsolicited phone calls, and don’t give out information.
  • Do not download or purchase any unknown software or online services.
  • Follow safe practices when browsing the web - and don’t click on ads from unknown sources.
  • If you see any unauthorized people accessing patient information (including fellow employees), report the activity to your supervisor or a compliance manager.

Simple safety practices on the part of all can thwart thieves so the can’t do their dirty work. That’s the goal -- and it takes a community of dedicated workers to achieve it.

Note: Information included in this post has been compiled from email alerts distributed by the U.S. Office for Civil Rights (OCR) from May 12 through May 16, in response to interational threats impacting healthcare. Reference material includes: February 2, 2016, and March 30, 2016 cyber awareness updates, and a February 2017 newsletter, all from OCR, and a Ransomware Fact Sheet from the U. S. Department of Health and Human Services.

About the author: Diane Evans is Publisher of MyHIPAA Guide, a news and information service that gives organizations a clear and human-centered process for HIPAA compliance. Diane travels around Ohio and beyond, speaking on HIPAA-related topics and leading workshops in an interactive curriculum developed by the MyHIPAA Guide team. You may reach Diane at This email address is being protected from spambots. You need JavaScript enabled to view it..

Published in Blog

Medicare's new payment model, released in April 2016:

Download PDF

Medicare's plan for awarding some physicians and other clinicians 5 percent performance incentives:

Download PDF

14-page report, titled Quality Payment Program:

Download PDF

Report titled, A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure:

Download PDF

2015 letter from 36 professional associations to Karen B. DeSalvo, the National Coordinator for Health Information Technology:

Download PDF

Report titled, Capturing High Quality Electronic Health Records Data to Support Performance Improvement:

Download PDF

Medicare Spending and Financing Factsheet from the Kaiser Foundaion:

Visit Site


MyHIPAA Guide Webinars Commencing May 2016 HIPAA Compliance Audits now active 2016

 
Published in Content

Doctors and patients, listen up. Starting in 2019, private insurers may hold unprecedented power in determining standards of care for Medicare patients.

To understand what’s at stake under a newly announced payment model, let’s go step by step:

  • If you are covered under Medicare, the kind of treatment you receive depends in large part on what Medicare covers in reimbursements to doctors and others.

  • Medicare has now unveiled a new payment model, which it says will “guide a clinician to follow a standard plan of care.” For you as a patient, this means that in the future, your particular treatment will likely be determined by statistics, presumably showing what works best in your circumstances.

  • Absent a uniform system of best practices, Medicare’s new model makes it possible for private insurers to set patient care standards, which Medicare will recognize by awarding physicians and other clinicians 5 percent performance incentives. Medicare further says that “positive” and “negative” payment adjustments will increase over time.

In a newly released 14-page report, titled Quality Payment Program, Medicare says this: “Clinicians could qualify for incentive payments based, in part, on...payment models developed by non-Medicare payers, such as private insurers or state Medicaid programs." The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) set the parameters for this new payment model.

Indeed, the idea of rewarding doctors for following best practices could improve patient care and reduce wasteful spending. But what happens if the statistics are wrong?

As a tax-supported program, Medicare owes it to beneficiaries – and taxpayers – to determine best practices based on meaningful and transparent data analysis. According to an earlier government study, the nation won’t even have the advanced technology for comprehensive data analysis, and sharing of information among providers, until 2024. That report, titled A 10-Year Vision to Achieve an Interoperable Health IT Infrastructure, specifies that important lessons are yet to be learned “to improve interoperability in support of nationwide exchange and use of health information across the public and private sector.”

One complicating factor: The dismal state of Electronic Health Record (EHR) systems in use today. In 2015, 36 professional associations raised questions about the very security of patient information contained in EHRs. In a letter to the feds, the associations raised concerns about poorly functioning EHRs resulting in “medical record errors, inaccurate documentation, lack of interoperability, slow performance, lost patient information, and safety concerns.”

Separately, in a July 2013 federal government report, titled Capturing High Quality Electronic Health Records Data to Support Performance Improvement, findings point to highly functioning EHRs as key to the implementation of payment reform tied to performance measures.

“As the industry moves toward value-based reimbursement—reimbursement based on quality and cost measures—improving the quality of the data used for measurement is imperative,” the report noted.

One featured section of the report discusses a federally funded project in Rhode Island, in which goals had been set for improving the health of diabetes patients. As local medical practices began accessing EHR data in order to report on improvements in diabetes care, they discovered data quality issues due to missing or inaccessible data or wide variations in outcomes that could not be explained by the actual delivery of care.

This report, issued by the same government agency that oversee Medicare, concluded that the Rhode Island “experience highlighted the need for practices to focus resources on improving EHR data capture and quality before using results to create quality improvement strategies and tactics.”

Against this backdrop, profit-driven insurers will now be trusted to write the standards for so-called value-driven care under Medicare?

Come on. We’re talking about the federal insurance program for an estimated 55 million people 65 and older, plus those with permanent disabilities. According to the Kaiser Foundation, Medicare accounted for 14% of the federal budget in 2014, with benefit payments totalling $597 billion in tax dollars.

Far too much is at stake to move prematurely toward standardized patient care that cannot be supported by trustworthy data. The lesson from the Rhode Island project should be heeded: First figure out how to capture quality data before using statistics to determine uniform treatment methods for patients.  Treating people based on bad data could put the health of untold millions at risk.

Published in Blog

Nurse gives up license after sharing image of patient's private parts in violation of HIPAA:

View Article

In March 2016, the federal government announced HIPAA audits had begin.  Even for a smaller practice, HIPAA fines and settlement amounts can be steep. Here is an example of a HIPAA settlement last September involving a group of radiology oncologists:

View Article

 

Published in Content

By Martin Stranges, President Pittsburgh Computer Solutions

IT security in an office environment can be a very complex issue to tackle. The flow in a busy practice makes matters worse. Simple and effective steps can be taken to eliminate some of the burden.

Email:

Get a junk email address. There’s a lot of free services available and some have great functionality like shareable calendars you may use. We all have to subscribe or sign up for something that requires a contact address. In a lot of cases, these addresses are sold or rented to solicitors. Let this be the catch all for the marketing material and potential ransomware coming your way. Your professional inbox will thank you.

Email attachments and the office staff that opens them have been the bane of IT for decades. Viral threats started out as nuisance or joke programs that were fairly easy to remedy and didn’t usually cause excessive down time. Currently we’re seeing a new breed of programs that encrypt your data and hold it hostage until a ransom is paid. There’s been documented cases where a covered entity had to pay a $16,000 ransom to decrypt their own data. Two easy steps to help avoid the impact of ransomware are:

  • Train your staff not to open email attachments unless they’re absolutely sure it came from a reliable source. Call IT if there’s any question to ensure the email is genuine. We’re always happy to get the call before a problem starts.

  • Since accidents happen, have at least two backups of your data in place. One of them should be cloud based that does revisions or periodic snapshots of your systems.

Antivirus:

Having an antivirus in place is a no brainer. We see a lot of practice workstations with a mix of factory installed antiviruses. Some working, some expired and others that just won’t update on their own. Invest in a cloud managed business class antivirus. You’ll know exactly what’s going on across the entire organization from the dashboard at a glance. It’s also less expensive than paying one at a time for the wrong solution.

Phone:

Have practice email or info on your mobile phone? Lock it. Lost or stolen phones are one of the biggest threats to your office security. Any newer smartphone with the latest updates is capable of encryption without added software. If your phone ends up out of your control, it’ll be useless to anyone that doesn’t have your password.

Faxing:

Ever consider digital faxing? Over the years it has become a more affordable and secure option over paper faxing. It’s actually less expensive to have a digital fax line than a phone line that attaches to a fax machine. Your faxes will show up in an email and not sit on your fax machine for hours until someone notices it arrived. They’re also HIPAA compliant, but make sure you sign up for the HIPAA plan when placing your order. Imagine the cost and time savings when you’re not buying toner or paper and you can even send secure faxes right from your desktop, phone or other mobile device.

Patches:

Take advantage of patches and updates on your phone, mobile devices and workstations. They’re free and the majority of them enhance security. Some devices allow for automatic updates which will save time as well as ensure you’re always as protected as possible.

A little bit of time and effort goes a long way to securing what you’ve worked so hard to create.

Pittsburgh Computer Solutions offers complete IT solutions to keep healthcare providers compliant with privacy and security rules.

Published in Blog

ProPublicia points to the exceptions to patient privacy regulations, and one women's experience in checking her own paternity test results -- and seeing results for 6,000 others as well:

Read about a privacy case not covered under HIPAA.

Join the MyHIPAA Guide forum discussion.  Submit questions you'd like us to answer relating to HIPAA compliance requirements.

Send us your questions via the forum, and we'll do the reporting to get answers.

Published in Content

AHIMA survey results on errors in matching patients to their electronic health records:

Read the key findings

The Director of Infomatics at the University of South California points to patient risks as a result of duplicate records in Electronic Health Records systems:

Read more

Join the MyHIPAA Guide forum discussion here.

Send us your questions relating to HIPAA compliance requirements via the forum, and we'll do the reporting to get answers.

Published in Content

Politico tells the story of gag clauses in contracts between EHR companies and healthcare providers:

Read what we don't know about HIPAA security issues within EHR systems

Join the MyHIPAA Guide forum discussion. Submit your questions relating to HIPAA compliance.

Send us your questions via the forum, and we'll do the reporting to get answers.

Published in Content
Page 1 of 3

10 Step HIPAA Plan

  • Step 1: Make Sure you Must Comply with HIPAA +

    What's Inside:
    Lists of who is generally covered and who is not, plus contact for inquiries.
  • Step 2: Designate Team Leaders +

    What's Inside:
    • 7-page HIPAA basics
    • 62-page guide to security and privacy of ePHI
    • Compliance Charter Template
  • Step 3: Develop Security Policies & Procedures +

    What's Inside:
    Templates for Security Policies and Procedures
  • Step 4: Conduct a security risk analysis +

    What's Inside:
    INTRODUCTORY:
    • Guides
    • Short videos
    • Interactive quizzes on risk assessment and contingency preparation
    • 10 common myths

    ADVANCED:
    Interactive tutorial – 156 questions with fill-able PDFs for Windows or iPad. All material from federal sources.
  • Step 5: Develop an action plan +

    What's Inside:
    INTRODUCTORY:
    • 11-page overview on ePHI for small practices
    • 4-page Q&A addresses email with patients
    • Checklists

    ADVANCED:
    Toolkit on 45 implementation specifications
  • Step 6: Reduce Risks of a Breach +

    What's Inside:
    • Overview of expectations
    • Annual Work Plan Template
  • Step 7: Train the Team +

    What's Inside:
    • Form for reporting breach notification
    • Links to details on the notification process and what constitutes a breach.
    • Suite of Training Materials
  • Step 8: Customize Privacy Notices +

    What's Inside:
    FOR ALL:
    • Privacy notice templates to help achieve meaningful consent, in English & Spanish.

    INTRODUCTORY:
    • Professionals' guide covering 2013 updates on communications.

    ADVANCED:
    • Electronic toolkit with patient education and meaningful consent sample materials.
  • Step 9: Execute Business Associate Agreements +

    What's Inside:
    • Sample Business Associate Agreement (BAA) provisions
    • Suite of BA Management Tools
  • Step 10: Verify Compliance with HIPAA +

    What's Inside:
    INTRODUCTORY:
    • Tip sheets
    • Short videos
    • Overviews

    ADVANCED:
    • 94-page guide on the EHR incentive program
    • Beginners' toolkit on reporting to the government

    All from federal sources.
  • 1

Login

Member Access