Kimberly Shutters

What Do Healthcare Third-Party Vendors Do

What Do Healthcare Third-Party Vendors Do? Healthcare providers and dentists, referred to by the Department of Health and Human Services as Covered Entities (CEs), and their third-party vendors, referred to as Business Associates (BAs) are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. Third-party vendors may be an individual or an organization, other than an employee of a provider, that performs certain functions on behalf of or provides certain services to, a CE that involves access to Protected Health Information (PHI). A third-party vendor could be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of the provider (45 CFR 160.103). Some of the activities of healthcare third-party vendors may include: Consultants Managed Service Provider Management Administration Revenue Cycle Management (RCM) Billing, Coding, Transcription Marketing Companies Accreditation Utilization Review Information technology contractors Data Analysis Data storage or document destruction companies Data transmission companies or vendors who routinely access PHI Third Party Administrators (TPA) Lawyers Accountants Malpractice insurers Note: A provider could be a third-party vendor of another provider. Third-Party Vendor Decision Tree Are still unsure whether you are a healthcare third-party vendor? If so, the good folks at Holland & Hart have put together the following handy Business Associate decision tree to help you determine if an entity is a third-party vendor (Business Associate) under HIPAA, as defined in 45 CFR § 160.103.  (Included screenshot of page 1 of 2: Business Associate Decision Tree, link provided above. Why Does It Matter? Providers, it is your responsibility to identify their third-party vendors and confirm there is a Business Associate Agreement (BAA) in place that holds them to the same standards of Privacy and Confidentiality as yourself. The BAA must be current and signed and limit the third-party vendor’s access to only allow access to PHI necessary to carry out its activities for the provider. Healthcare organizations of all sizes and third-party vendors should understand patients are entrusting them with their most private and intimate details. They do expect it to remain secure!

Security Incident

What’s a Security Incident? When is it a Breach?

When a security incident happens and when they do, effective response planning can be a major factor of how significant an organization suffers operational or reputational harm or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time to help minimize the impact of breaches. The HIPAA Security Rule defines a security incident as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304.) The HIPAA Breach Notification Rule defines a breach as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402.) On August 16, 2017, there were a total of 2,022 healthcare data breaches reported on the HHS “Wall of Shame”. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Covered Entities (CEs) and their Business Associates (BAs) are expected to provide security controls that ensure the confidentiality, integrity, and availability (CIA) of protected health information (PHI). However, having robust and fairly resilient systems will not eliminate the possibility that a cybersecurity incident could occur in your organization. Despite the requirements of HIPAA, not only do a large percentage of CEs believe they will not be notified of security incidents or cyberattacks by their BAs, they also think it is difficult to manage security incidents involving BAs, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach. CEs and BAs should train all workforce members, including management, on incident reporting and may wish to conduct security audits and enterprise-wide risk analysis to evaluate the BAs’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk. Over the past years, the healthcare sector has been one of the biggest targets of cybercrimes resulting in breaches due to weak authentication. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?         Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!

Security Incident

Are YOU Prepared for a Security Incident?

What if your Business Associates Had A Security Incident? Covered Entities (CEs) believe its impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. To complicate matters a large more believes their Business Associates would NOT notify them in the event of a security incident. It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in its contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used or by each BA or subcontractor. HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402). Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?       For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.  

HIPAAKTR

Healthcare Third-Party Vendors – HIPAA Security Rule Applies To YOU Too!

Did You Know? The HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to “implement a security awareness and training program for ALL members of its workforce (including management)” 45 C.F.R. § 164.308(a)(5)(i). Note: the emphasis on ALL members of the workforce, because ALL workforce members can either be guardians of the entity’s Protected Health Information (PHI) or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches. In order to implement this standard, the Security Rule requires CEs and BAs to implement periodic security updates, or reasonable equivalents. 45 C.F.R. § 164.308(a)(5)(ii)(A).     An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.     As such, CEs and BAs should consider: • How often to train ALL their workforce members on security issues, given the risks and threats to their organization, and how often to send security updates to their workforce members. Many entities have determined that bi-annual training, and monthly security updates are necessary, given their risks analyses. • Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants. • What type of training to provide to workforce members on security issues, given the risks and threats to their enterprises. Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions are all tools that different organizations use to fulfill their training requirements. • How to document that training to workforce members was provided, including dates and types of training, training materials, and evidence of workforce participation. Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules. See 45 C.F.R. §§ 164.316(b) and 164.530(j). Covered Entities and Business Associates your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure! Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?     Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat – schedule a call with HIPAA alli today!

Mobile Health Application

Mobile Health Application So you want to download the next latest, greatest mobile health application but before you do there are a few things you should know. Here are some safety tips to practice when you download your first or next mobile health application: 1. Research mobile health application (software programs that perform one or more specific functions) BEFORE you download and install any of them. Recommendation: Use known app websites or trusted sources.   2. Actually READ the End Users License Agreement (EULA) before acknowledgement during installation. Review the privacy & security notice of the mobile health application to verify the application will perform ONLY the functions you approve.     3. Consider installing or using encryption software for your device. 4. Install and activate remote wiping and/or remote disabling on your mobile devices. The remote wipe feature allows you to permanently delete data stored on a lost or stolen mobile device. Remote disabling allows the user to lock stored data on the lost or stolen mobile device, and unlock the data if the device is recovered. Mobile Health Application & HIPAA There is something you should know about hand held data trackers, similar to Fitbit. They are not considered medical devices and are not regulated by the FDA. Why you ask … Because these devices are purchased and the data is requested by the wearer it is not protected by HIPAA. However, if a healthcare covered entity requests a patient to wear one, collects its data, then the data is protected by HIPAA. FINDINGS Pew Research Center’s Internet and American Life Project · 85%% of U.S. Adults own a cell phone, and more than half are smartphone users. · One-fifth of all smartphone users have downloaded a health app, and half of smartphone users seek health information from their mobile devices.

Does Your Doctor Keep Your Protected Health Information Secure?

Notice of Privacy Practices Today, I visited my local dentist office for a new patient consultation and to interview them before selecting them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into the treatment room. During my appointment I met several different staff members, including their office manager responsible for HIPAA followed by the provider. After asking the office manager different questions about their Notice of Privacy Practices (NPP), I decided the practice DID NOT understand their HIPAA Privacy and Security responsibilities. I’d like to tell you I only had to do this once before I found a CE I trusted my care and my HIPAA Privacy and Security information to but say NO. I interviewed four (4) different practices and only one (1) of them would I trust and recommend with my information and care. I share this with you to help you learn what to look for when you visit your next provider of care. CE’s are required to provide their patient’s with a Notice of Privacy Practices in plain language that describes the following: ▶️ Did your CE provide you with their Notice of Privacy Practices? ▶️ Does the Notice of Privacy Practices include a description of how the practice uses or discloses (share) your PHI? ▶️ The CE’s legal duties with respect to the information, including a statement that the CE is required by law to maintain the privacy and security of PHI. ▶️ A CE must let you know promptly if a breach occurs that may have compromised the privacy or security of your information. ▶️ A CE must follow the duties and privacy practices described in the Notice of Privacy Practices and give you a copy of it. ▶️ A CE must not use or share your information other than as described in the Notice of Privacy Practices unless you instruct them they can in writing. If you allow it, you may change your mind at any time, in writing. ▶️ The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the CE. ▶️ Whom individuals can contact for further information about the CE’s privacy policies. ▶️ A CE must make its notice available to anyone who asks for it. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. ▶️ A CE must prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits. ▶️ The Notice of Privacy Practices must include an effective date. For more information see 45 CFR 164.520(b) for the all Notice of Privacy Practices requirements: https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-520.pdf Also see: Frequently Asked Questions about the Privacy Rule

Protected Health Information

What is Protected Health Information?

What is Protected Health Information? The simple answer is any information that can be used to identify you from your Protected Health Information (PHI). PHI consists of 18 unique identifiers and must be removed in order to meet the “Safe Harbor Method” standard for de-identification. PHI as defined by U.S. Department of Health  and Human Services as the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules, as any information about health status, provision of healthcare, or payment for healthcare that is created or collected by healthcare organizations, referred to as Covered Entities (CEs) or their third-party vendor  acting on behalf of the CE, referred to as Business Associates (BAs)), and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history[i]. The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted or maintained in any form or medium by a Covered Entity (CE) or their third-party vendors, known as Health and Human Services Business Associates (BAs), in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information Protected Health Information (PHI). PHI is information, including demographic information, which relates to: the individual’s past, present, or future physical or mental health or condition,  the provision of health care to the individual, or  the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. PHI includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above. Understanding the Difference The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI. For instance, if such information was reported as part of a publicly accessible data source, such as a phone book, then this information would not be PHI because it is not related to heath data (see above). But, if such information was listed with health condition, health care provision or payment data, such as an indication that the individual was treated at a certain clinic, then this information would be PHI. For example, a medical record, laboratory report, or hospital bill would be PHI because each document would contain a patient’s name and/or other identifying information associated with the health data content.  By contrast, a health plan report that only noted the average age of health plan members was 45 years would not be PHI because that information, although developed by aggregating information from individual plan member records, does not identify any individual plan members and there is no reasonable basis to believe that it could be used to identify an individual.