Share this
So, You’re Finally Taking A Closer Look at HIPAA?
by Theresa Sheppard on Jun 10, 2015 1:15:39 PM
Welcome to the future!
While it may not feel like it (still no flying cars), the world and our daily lives have become far more complex. Especially when it comes to how we access, move, and store data. When it comes to healthcare, these advancements also mean increased potential for the unintended breach of a patient’s privacy.
Download The 5 Most Overlooked Steps to HIPAA Compliance.
HIPAA is Part of Our Daily Lives
The high-tech act significantly increased the civil monetary penalties for HIPAA privacy violations or lack of breach notification, while the federal government can always impose criminal penalties.
This has created a sense of urgency for medical and dental practices to better understand their security requirements and reevaluate their privacy policies.
Is Your Practice Fully HIPAA Compliant?
How many practices feel they are only 90, 75, or even 50% HIPAA Compliant? Many facilities may not even know that just because they don’t send electronic claims, it does not release them from the legal and ethical obligation to protect patient privacy.
The most daunting and time-consuming challenge is the risk analysis. It is multi-layered and involves a taking hard look at each aspect of your administrative, technical, and security safeguards:
- Determine the level of risk
- Determine the likelihood of threat occurrence & potential impact
- Identify security measures and finalize documentation
- Develop written procedures & policies
- Ongoing training & documentation
Next Step: Confronting and Correcting
Once your risk analysis is complete, it’s time to develop written policies and procedures based on what you’ve learned.
Lastly, you are required to have ONGOING training for your team. What does “ongoing” mean?
I suggest that at least once a month you set aside 30 minutes to discuss issues that may have arisen or situations that need correction. It is also a great time to “work your way through” the extensive procedure manual by going over a few pages at a time.
A critical aspect of this is to document the training. Like everything else… you must be able to prove that this is something you are taking seriously.
A breach occurs when the privacy or security of the patient is compromised because someone acquired, accessed, used, or disclosed protected patient information.
What Constitutes the Need for a Breach Notification?
- The practice is not required to report a breach, if, through their risk analysis, they can prove there is a low probability that the information has been compromised.
- The practice is required to notify those affected. Oral disclosure (spoken word) meets the definition of a breach.
- Business Associates must notify the covered entity of a breach ASAP, but no later than 60 calendar days, so it can be determined who is responsible for notification.
- The practice must put out the notification ASAP but no later than 60 calendar days after the discovery of the breach.
- For 10 or fewer persons, patients must be provided written notice, or be notified by telephone, email, or other forms of notification.
- For more than 10 persons, patients must be notified, and if they cannot be reached, then a conspicuous notice must be placed on the practice website home page for 90 days, or in a major media outlet in the geographical area of the persons affected by the breach.
- For 499 or fewer people affected, the practice must keep a log and submit it to HHS no later than 60 calendar days from the end of the calendar year.
- For 500 or more persons affected: if a breach involves 500 or more persons, then the practice must notify HHS without unreasonable delay, and no later than 60 calendar days from discovery. The practice must ALSO notify prominent media outlets (usually a press release) no later than 60 calendar days after discovery.
In Matters of Data Security
In my experience as a HIPAA consultant, most of my smaller clients are dental practices with 1-3 doctors backing up their clinical software and patient information. They usually do not have the luxury of a dedicated IT staff member, and often they rely on their preferred IT integrator, or the most technical person in the office to get the job done. Often this means, that the backup method they have been utilizing is not secure.
Some offices may back up when they close the month but have never tested restoring data from their backups. They may backup to a tape daily, but only have their data located onsite – possibly even unencrypted. We’ve even seen cases where there was no backup being done due to confused policies, and the assumption that someone else was doing it.
Practices must perform daily backups using a product such as NovaBACKUP for them to be protected from data loss and to keep them in compliance with HIPAA. Not only does NovaBACKUP meet the stricter HIPAA mandates, but their support team is also located locally for easy access, offering remote Setup Assistance.
Having an automated backup schedule reduces the amount of effort required by the practice, while email summary reports deliver immediate confirmation that backups have been completed successfully.
These reports make the Security Officials' job much easier in terms of auditing, providing a level of confidence that a restore can be rapidly accomplished should data ever be lost or compromised.
Keep Calm and Achieve Compliance
It’s all about assessment and mitigation. Reaching the state of HIPAA compliance is an ongoing process. While the multiple layers of rules and regulations can be intimidating, this should certainly not cause you to delay in taking on the issues of data security in your environment. You must get started on this process right away! If you are selected for an audit, you could be required to produce your procedural manual and risk assessment in as little as 10 days.
What I have tried to accomplish here today is to provide an overview of the basic information that can work as a first step toward bringing your office into compliance. Taking the next step means a risk analysis and putting together a comprehensive HIPAA protocol and policy program.
A special thanks to Theresa Sheppard for sharing her insight on HIPAA compliance.
For information about HIPAA-compliant backup software visit: https://www.novabackup.com/solutions/medical-backup.
Share this
- Pre-Sales Questions (112)
- Tips and Tricks (95)
- Industry News (59)
- Reseller / MSP (37)
- Best Practices (30)
- Security Threats / Ransomware (30)
- Applications (26)
- Cloud Backup (25)
- Disaster Recovery (25)
- Compliance / HIPAA (24)
- Backup Videos (23)
- Storage Technology (23)
- Virtual Environments (17)
- Technology Updates / Releases (9)
- Infographics (8)
- Backup preparation (4)
- Products (US) (2)
- Company (US) (1)
- Events (1)
- Events (US) (1)
- October 2024 (1)
- September 2024 (2)
- August 2024 (1)
- July 2024 (2)
- June 2024 (2)
- May 2024 (1)
- April 2024 (1)
- March 2024 (2)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (1)
- October 2023 (1)
- September 2023 (1)
- August 2023 (1)
- July 2023 (1)
- May 2023 (1)
- March 2023 (3)
- February 2023 (2)
- January 2023 (3)
- December 2022 (1)
- November 2022 (2)
- October 2022 (2)
- September 2022 (2)
- August 2022 (2)
- July 2022 (1)
- June 2022 (1)
- April 2022 (1)
- March 2022 (2)
- February 2022 (1)
- January 2022 (1)
- December 2021 (1)
- November 2021 (1)
- September 2021 (1)
- August 2021 (1)
- July 2021 (1)
- June 2021 (1)
- May 2021 (2)
- April 2021 (1)
- March 2021 (2)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (1)
- October 2020 (2)
- September 2020 (4)
- August 2020 (2)
- July 2020 (1)
- June 2020 (1)
- May 2020 (1)
- April 2020 (1)
- March 2020 (3)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- November 2019 (1)
- October 2019 (1)
- August 2019 (1)
- July 2019 (1)
- June 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (1)
- December 2018 (1)
- November 2018 (2)
- August 2018 (3)
- July 2018 (4)
- June 2018 (2)
- April 2018 (2)
- March 2018 (2)
- February 2018 (2)
- January 2018 (3)
- December 2017 (1)
- September 2017 (1)
- May 2017 (2)
- April 2017 (5)
- March 2017 (4)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (2)
- September 2016 (1)
- August 2016 (3)
- July 2016 (2)
- June 2016 (3)
- May 2016 (7)
- April 2016 (8)
- March 2016 (1)
- February 2016 (3)
- January 2016 (12)
- December 2015 (7)
- November 2015 (5)
- October 2015 (6)
- September 2015 (2)
- August 2015 (3)
- July 2015 (2)
- June 2015 (2)
- May 2015 (1)
- April 2015 (5)
- March 2015 (3)
- February 2015 (4)
- January 2015 (2)
- October 2014 (5)
- September 2014 (8)
- August 2014 (5)
- July 2014 (8)
- June 2014 (4)
- May 2014 (3)
- April 2014 (9)
- March 2014 (7)
- February 2014 (7)
- January 2014 (5)
- December 2013 (4)
- October 2013 (7)
- September 2013 (2)