Author Archives: Frank Sivilli

5 Forms Every Healthcare Practice Should Digitize

If you run a small or mid-size medical practice, you can be forgiven for not staying ahead of medical technology trends. It takes more than enough resources just to manage a business while delivering exceptional patient care.

But there’s one process improvement that will save you boatloads of time and money in the long run–and doesn’t take an IT department to figure out how to set up: online forms.

Paper forms are not only a nightmare to maintain, but they’re unpleasant for your patients to fill out. Yet, they are still a staple at healthcare clinics around the country.

With online form providers like JotForm offering HIPAA compliant webforms, it makes it possible to replace this outdated workflow with a solution that vastly improves patients’ exerpience with your organization.

Here are five types of forms you can digitize to immediately see a positive impact.

Patient Registration

Best case scenario with a paper registration form is that you make it available on your website for download. The most cooperative of your patients will print it at home, fill it out by hand, and then remember to bring it in with them to your clinic.

That’s the best case scenario.

It’s more likely that they won’t even realize you offer downloadable registration forms, or don’t care to print them. Then they spend 10 minutes or more clogging up your waiting room so they can get all of their information scribbled down on the clipboard you hand them when they walk in.

There’s a better way.

Providing your patients with an online form link before they walk through the door allows them to complete it with ease ahead of time. And if you’re using a mobile friendly form solution, even better. It allows patients the ability to send their information from anywhere.

Payments

Even if you’re the best medical practitioner in the entire world, it won’t matter if your business isn’t making money.

Removing any obstacles stopping your patients’ ability to pay you quickly is absolutely imperative. And in today’s world, patients expect an easy way to pay their bill. One of the easiest ways to collect payments from your patients is by offering the ability to pay through an online form.

Whether your form lives permanently on your website, or it’s something you send out as a link, it can simultaneously collect any pertinent patient information while processing the payment.

Care Authorization

It’s essential to make it comfortable and simple for a parent to sign consent.

Luckily, you don’t lose the ability to collect legally-binding signatures when you switch to using online forms from paper. Just add an e-signature field, and the signature shows up in your inbox. You can even automatically send along a copy of the signature to the patients who signed it by asking for their email address in the same form.

Patient Feedback

Patient feedback is an absolutely critical component of running a successful clinic, and more importantly, it allows them to feel heard. By using online forms, you can send the feedback form link by email so the patient can fill it out at their leisure. No downloads. No printing. And nothing gets dropped in a mailbox. You benefit by seeing more feedback come your way, and the ability to have all of your patient feedback information neatly organized online.

One iPad with a digitized health assessment questionnaire will pay for itself in a matter of months with all the paper you’ll save.

The real benefit is in how easy it is for a patient to quickly touch the screen to give their answers. And by using an online form, you have better access to the assessment data you collect. If you ever wanted to find trends for common ailments among the patients in your clinic on the whole, you can easily pull aggregate data from an online form system and be able to make more informed decisions for the type of services you provide.

Whether your practice is big or small, digitizing your system for collecting patient information securely will save you and your staff countless headaches, time, and money. And the list goes on for use cases. You can even use online forms to distribute a notice of privacy, schedule appointments, and generate new leads.

HIPAA Alliance Marketplace Connects CEs and BAs

For many health care providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive health care data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

Health care providers can connect with health care vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

Access to the marketplace is limited to vendors that have been verified by the Compliancy Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

Vendors can use the marketplace to break into the valuable health care market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliancy Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

The HIPAA Alliance Marketplace is a closed ecosystem that allows health care professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules, and verified by the Compliancy Group HIPAA Seal of Compliance™.

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of health care professionals a year, according to the HHS Wall of Shame.

Compliancy Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program™ (ARP). The Compliancy Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliancy Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

At Compliancy Group, not a single client has ever failed an OCR or CMS audit. Learn more about how our HIPAA compliance partner helps simplify compliance for health care professionals now!

Recent Ransomware Attacks Could be HIPAA Violations

By now, you may have heard about the massive ransomware attack that has struck over 150 countries, including The United States, over the past week.
If health care data taken hostage in a ransomware attack is unencrypted, it could constitute a HIPAA violation. Any electronic protected health information (ePHI) that is affected by a breach without proper encryption methods in place is very likely to be compromised in the event of a ransomware attack.
These recent attacks come out of a growing trend in malware incidents over the past year. OCR has released guidance about how to handle a ransomware incident in your health care practice. The federal government has stressed the importance of safeguarding your organization and protecting your confidential patient data.
If you’re interested in protecting your organization from a ransomware incident–and want education about how to prevent ransomware attacks from spawning HIPAA breaches and fines–attend the upcoming webinar,
ransomware attacks HIPAA violations

2017 HIPAA Enforcement to Target Ransomware, Interoperability, Medical Apps

“With big data, comes big responsibility,” says Office for Civil Rights (OCR) Director Roger Severino. This is just a fragment of the insight he gave into upcoming HIPAA enforcement trends in his plenary talks at Health Datapalooza 2017.

Severino, the newly appointed Director of the Department of Health and Human Services’ (HHS) OCR, spoke about the Office’s role in the enforcement of the HIPAA Privacy and Security Rules in the changing face of medical technology and health care IT.

OCR is ready to “adapt to changing circumstances” of data security and interoperability in health care. Severino stressed the importance of security, especially as it relates to protected health information (PHI) of patients. HHS has presented a unified message of increasing the quality of patient care this morning–first mentioned by HHS Secretary Tom Price earlier in the session.

2017 HIPAA Enforcement Trends

“Security with data is essential,” said Severino. He suggested that OCR enforcement of HITECH and the HIPAA rules will be advancing to address changes in health care data and technology. He mentioned the string of ransomware incidents that have been affecting hospitals across the country over the past year, in addition to the recent $2.5 million fine that OCR levied against medical device company, CardioNet.

Mobile apps, in particular, are going to be an area of focus for OCR in the years ahead. Severino specifically mentioned the Office’s concerns about how mobile apps can work within the HIPAA rules in order to advance interoperability of health care data.

Finding a means of achieving effective interoperability for health care providers and balancing data security is going to be an area of ongoing concern. Severino spoke about the state of trust between patients and their providers. Breaches of sensitive data cause both financial hardship, and a loss of trust between patients and health care practitioners. “If health care information is not protected, the relationship [between patient and provider] breaks down.”

Data breaches are comparable to identity theft in this way–and Severino suggests that voluntary patient data collection is at risk unless this problem is remedied.

HHS Secretary Tom Price Stresses Burdens of Health Care IT

Secretary of Health and Human Services (HHS) Tom Price spoke about the future of innovation in health care IT during his opening remarks at Health Datapalooza 2017. “People, patients, and partnerships” are going to be the driving forces behind the Trump Administration’s work in health care IT.

Secretary Price commented on reducing the burden of health care IT processes to physicians, with patient-oriented care as the central focus.

Price stressed that “True interoperability has always been the goal,” but that somewhere in the last few years the process has become muddled. He suggested new HHS guidance on the matter, as a means of “deciding on the rules of the road” for interoperability processes.

New Regulation on the Horizon?

Future HHS work on the matter will focus on “accessibility, affordability, quality, and empowering patients,” and patient-focused care with fewer burdens on health care practitioners.

Price suggested that high-level policy making should be the goal of any work done on interoperability in the future–which could come in the form of new HHS guidance, or even new regulation on the matter.

The Obama Administration made interoperability a central goal of its health care IT policy, with such measures as the Precision Medicine Initiative. The Precision Medicine Initiative focused on using patient data to collectively improve health research and care.

This work could continue under The Trump Administration, under the auspices of a different name and fewer “burdens” on doctors. The promulgation of Electronic Health Records (EHR) platforms in the past decade has been the foundation of interoperability initiatives.

Price stated that taking the focus away from patient care toward “data entry” has had challenging “and sometimes destructive consequences.” It’s clear the Administration is dedicated to changing the face of interoperability in the years to come.

Striking a balance between advancing and achieving interoperability within the limits of current health care technology capabilities will clearly be a challenge. Price stressed the importance of “partnerships” in this endeavor. Public-private partnerships could do the work of creating the infrastructure needed for “true interoperability.”

Fraudulent HIPAA Notifications Target Health Care Professionals

HHS OCRRecently, health care professionals have reported being solicited by organization fraudulently presenting themselves as federal entities.

Instead of typical phishing emails involving a hack, one IT security firm based out of Miami, Florida is posing as HHS as a part of its marketing efforts. Emails sent from the account appear to steal legitimate HHS letterhead and conclude with a fraudulent use of OCR Director, Jocelyn Samuels’ signature.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email.

“The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services,” OCR notes in its announcement. “In no way is this firm associated with the U.S. Department of Health and Human Services or the Office for Civil Rights,” said Samuels. “We take the unauthorized use of this material by this firm very seriously.”

If you or a member of your organization receives an email or call from an entity claiming that you need to have a:

“Mandatory HIPAA Risk Assessment Review with a Certified HIPAA Compliance Adviser”

Be advised that this is not a legitimate notice form any federal or state regulatory agency. You should not feel obligated to provide or share any information with these organizations if you receive such notice. There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or fraudulent language.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will only contact you directly via a certified letter or email.

These fraudulent emails are being sent from ‘OSOCRAudit@hhs-gov.us‘, while a legitimate OCR email will be sent from ‘OSOCRAudit@hhs.gov‘. The distinction is subtle, but that’s characterstic of scams such as these.

This kind of fraud is a growing trend being executed by some security and compliance companies in the health care space. Being equipped with the right tools can protect you and your organization from being scammed.

OCR Announces HIPAA Desk Audits for Business Associates

HHS OCR

Starting in November, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is slated to begin HIPAA compliance desk audits for business associates. This is just the beginning of OCR’s ongoing push for a permanent HIPAA audit program, which will kick into higher gear come 2017.

OCR first began its Phase 2 HIPAA Compliance Audits in March of 2015. An initial group of 167 Covered Entities, such as doctors and insurance companies, were randomly selected for a HIPAA audit. A questionnaire was posed to auditees asking them to compile lists of their business associates along with relevant contact information.

OCR has collected some 20,000 BAs through this process, and now plans to select organizations from this list and move forward with onsite audits, according to OCR’s Deputy Director of Health Information Privacy, Deven McGraw.

In June of this year, OCR reached its first settlement with a BA in the history of enforcement, resulting in a $650,000 fine. OCR has redoubled its efforts toward BA enforcement, and this recent announcement marks the first time that OCR has instigated wide-scale random audits for business associates and HIPAA compliance–a practice that will become standard once HHS launches its permanent audit program.

McGraw went on to state that business associates chosen for desk audits after November 2016 could also be subject to additional onsite audits if widespread HIPAA compliance issues are uncovered. “It’s not a game of ‘gotcha’ or a vehicle for punitive measures. But we can open an investigation if what we see in an audit” raises alarms, she said.

McGraw also outlined plans for a “comprehensive roll-up report” once these desk audits are completed. This report will be a publicly accessible document that will outline the major findings of OCR’s Phase 2 Audits. OCR intends for the report to act a resource for HIPAA-beholden organizations to address their compliance plans in the future.

The 20,000 contacts that OCR has gathered across the health care industry represent a wide range of different business associates. Organizations that weren’t contacted over the course of OCR’s initial outreach for Phase 2 are at risk of being audited just because of the business relationships they have with covered entities.

“In order to best prepare for these audits, business associates should be able to illustrate their HIPAA compliance through supporting documentation,” says Marc Haskelson, President and CEO of Compliancy Group. “If a BA has yet to address their HIPAA compliance, now is a better time to start than ever before.”

 

See our recommended HIPAA products!

HIPAA Roundup: Pharmacy Settlements and OCR Investigations

Over the past few years, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has considerably ramped-up its enforcement efforts for HIPAA violations.

Pharmacies have continued to be hit with OCR investigations and massive fines for breaches of protected health information (PHI). These investigations are often initiated for minor privacy or security incidents, and become major HIPAA violations once the organization’s full-scale non-compliance is brought to light.

Below, we’ve looked at three important settlements that speak to the future of HIPAA enforcement for pharmacies across the country.

 

CVS Pharmacy, $2.25 Million HIPAA Settlement

On January 16, 2009, HHS reached a settlement with CVS Pharmacy, Inc. to settle alleged violations of the HIPAA Privacy Rule. The $2.25 million settlement came after OCR investigators determined that stores across the nation were improperly disposing of labels containing the PHI of patients and customers.

OCR investigators found that CVS failed to implement the appropriate policies and procedures to safeguard the integrity of disposed PHI, that it failed to train employees on how to properly dispose of PHI, and that it did not implement an appropriate sanctions policy for employees and pharmacists who failed to properly dispose of PHI.

The integrity of PHI is paramount to compliance with the HIPAA Privacy Rule and pharmacies face especially difficult challenges to maintain proper privacy standards. As these next examples will show, improper handling of PHI is one of the most significant risks that pharmacies are exposed to under HIPAA regulation.

 

Rite Aid Pharmacy, $1 Million HIPAA Settlement

Rite Aid reached a $1 million settlement with HHS on July 27, 2010 for alleged violations of the HIPAA Privacy Rule. The chain operates nearly 4,800 retails pharmacies across the country.

Investigators determined that PHI was being disposed of incorrectly, without policies and procedures governing the disposal process. Additionally, Rite Aid’s employees weren’t trained on the proper disposal of PHI, nor were appropriate sanctions applied to employees who improperly disposed of PHI.

The Rite Aid settlement and corrective action plan closely mirrored the 2009 CVS settlement discussed above. Often, OCR will follow trends in enforcement, building cases and going after chronic issues of non-compliance across major health care industries. Large-scale national franchises make for easy targets in investigations like these, but the risk is just as material for smaller health care entities as well.

 

Cornell Prescription Pharmacy (Denver, CO), $125,000 HIPAA Settlement

Cornell Prescription Pharmacy is a small, single-location pharmacy based out of Denver, Colorado. The $125,000 settlement was announced on April 27, 2015 in response to the improper disposal of documents containing the PHI of 1,610 patients.

Perhaps the strictest of the three incidents we’ve discussed, OCR Director Jocelyn Samuels stated that: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” Samuels continued, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

Since taking office in June of 2015, Samuels has overseen more fines than in the prior nine years combined. And with her focus turning to organizations that have historically been spared from HIPAA enforcement, such as independent pharmacies, the possibility of a HIPAA audit has become a real threat to players across the health care industry.

Massive Data Breach Affects Thousands of NFL Players

nfl-logo

The NFL has reported that thousands of players’ health care records were breached in late April after a laptop was stolen from the car of a Washington Redskins trainer.

The records are extensive, dating back a full 13 years. They’re reported to include current and former players’ protected health information (PHI), as well as that of the attendees of the annual scouting Combine.

In an official statement from the NFL to the players’ union about the theft, NFLPA Executive Director DeMaurice Smith said:

The NFLPA [NFL Players Association] has consulted with the U.S. Department of Health and Human Services regarding this matter. The NFLPA also continues to be briefed by the NFL on how they intend to deal with both the breach by a club employee, the violation of NFL and NFLPA rules regarding the storage of personal data, and what the NFL intends to do with respect to notifying those who may be affected. We will keep you apprised of what we hear from the team and League.

The severity of the breach is such that the NFL has contacted the Department of Health and Human Services (HHS), the arm of the federal government that deals with HIPAA enforcement and personal data privacy and security. It’s unlikely that the NFL will be persecuted as a HIPAA Covered Entity in this breach, sparing potential fines and litigation. HHS has made it clear that high-profile patients’ medical records must be afforded the same legal protection as anyone else’s. Athletes and celebrities alike face heightened risks to their privacy and are often targeted by attacks to their personal data.

Physical theft continues to plague the health care industry. Paper and physical records are easy targets, but it’s becoming apparent that electronic health records (EHR)–the long-heralded solution to this industry-wide problem–falls short of any kind of guaranteed security. Though the stolen laptop containing the players’ health data was password protected, it wasn’t encrypted.

Even though there have been industry-wide pushes for EHR adoption and migration away from paper records, their integrity of those records can be tenuous without the accompanying encryption and privacy measures needed to ensure they’re being kept secure.

In a statement given to Deadspin, an NFL spokesperson said that: “We are aware of no evidence that the thief obtained access to any information on the computer that was stolen nor aware that any information was made public.” The spokesperson also confirmed that the NFL’s electronic medical record (EMR) system that encompasses player data for the entire league was unaffected by the breach.

Over 112 million Americans had their health data breached in 2015 alone. In this case, HHS has the opportunity to make a decisive statement on EHR adoption and patients’ rights to privacy in an effort to curb the frightening trend that these massive data breaches are starting to take.