healthcarecompliance101

Healthcare Compliance 101

Archive for the tag “HIPAA Privacy”

Contingency Plan

Plan A… B… Contingency Plan!

 The purpose of any contingency plan is to allow an organization to return to its daily operations as quickly as possible after an unforeseen event.  The contingency plan protects resources, minimizes customer inconvenience and identifies key staff, assigning specific responsibilities in the context of the recovery.

 Contingency plans are critical to protecting the availability, integrity, and security of data during unexpected adverse events. Contingency plans should consider not only how to respond to disasters such as fires and floods, but also how to respond to cyberattacks. Cyberattacks using malicious software such as ransomware may render an organization’s data unreadable or unusable. In the event data is compromised due to a cyberattack, restoring the data from backups may be the only option to recover the data and restore normal business operations.

What Does a Contingency Plan Do?

ü Contingency Plan:  Focused on the steps to respond and recover operations in the event of an emergency or other disruption to normal operations.  Its major objectives are to ensure: (1) the containment of damage or injury to, or loss of, property, personnel, and data; and (2)the continuity of the key operations of the organization.

 Contingency plans aren’t just a good idea; regulations for certain industries require contingency planning.  For example, the HIPAA Security Rule requires that HIPAA covered entities and business associates establish and implement a contingency plan.[1]

 What’s Required for a HIPAA Contingency Plan?

ü Disaster Recovery Plan:  Focused on restoring an organization’s protected health data.

ü Emergency Mode Operation Plan (or Continuity of Operations):  Focused on maintaining and protecting critical functions that protect the security of protected health data.

ü Data Backup Plan:  Focused on regularly copying protected health data to ensure it can be restored in the event of a loss or disruption.

 Items to Address as Part of a HIPAA Contingency Plan

ü Applications and Data Criticality Analysis: Focused on identifying what applications and data are critical for the contingency plan.

ü Testing and Revisions: Focused on testing your contingency plan and revising any identified deficiencies.

 Key Steps on the road to Contingency Planning:

Make it Policy:  A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

Identify what is Critical:  Knowing what systems and data are critical to operations will help prioritize contingency planning and minimize losses.

 Identify Risks, Threats and Preventative Controls:  Perform a risk analysis to identify the various risks that your business may face.  What has the potential to significantly disrupt or harm your operations and data?

    Contingency Plans & Risk Analysis:  The need for contingency plans appears as a result of a thorough and accurate analysis of the risks that your organization faces.  The end result of a risk analysis can provide a list of potential threats, risks, and preventative controls.  Prioritization of critical systems and information will help identify where to focus planning efforts.

 Create Contingency Procedures:  Establish the specific guidelines, parameters, and procedures when enacting the contingency plan and for the recovery of systems and data.  Here’s where the Disaster Recovery Plan, Emergency Mode Operation Plan and Data Backup Plan will fill in the overarching contingency plan.  Keep in mind:

o   The goal is to maintain critical operations and minimize loss.

o   Define time periods – What must be done during the first hour, day, or week?

o   Establish Plan Activation – What event(s) will cause the activation of the contingency plan?  Who has the authority to activate the contingency plan?

o   Use plain language – the plan should be understandable to all types of employees.

 Operationalize & Maintain the Plan:  Integrate the plan into normal business operations.

o   Communicate and share the plan and roles and responsibilities with the organization.

o   Establish a testing (exercise) schedule for the plan, to identify gaps and ensure updates for plan effectiveness and increase organizational awareness.

o   Review the plan on a regular basis and situationally when there are technical, operational, environmental, or personnel changes in the organization.

 Don’t wait for a disaster to happen before designing and implementing a contingency plan.

Reprinted from the Office of Civil Rights

Advertisements

$750,000 Settlement Highlights the Need for HIPAA Business Associate Agreements

 

Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.  HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.  Raleigh Orthopaedic is a provider group practice that operates clinics and an orthopaedic surgery center in the Raleigh, North Carolina area.

 

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).

 

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

 

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

Unauthorized Filming of Your Patient Could Result in HIPAA Violation

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

 

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop.

 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

 

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these.

 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.

HIPAA Privacy and Security Compliance Audits Begin November 2011

OCR Announces November 2011 start of Privacy and Security Compliance Audits

     Overview:  OCR has announced that it is initiating Compliance Audits beginning November, 2011, as it is authorized to do so by the HITECH Act.  The HITECH Act requires the Department of Health and Human Services (HHS) to provide for periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification Standards.  These audits will strengthen enforcement and accountability for compliance with existing and forthcoming (by the end of 2011) Rule modifications.  HHS has delegated this auditing function to OCR.  To implement this mandate, OCR is piloting a program to perform 150 compliance audits of covered entities to assess privacy and security compliance.

     Who will be audited? Every covered entity and business associate is eligible for an audit.  OCR is responsible for selecting the covered entities that will be audited.  OCR has indicated that selections will be designed to provide a broad assessment of a complex and diverse healthcare industry.  This means that OCR will randomly select covered entities that are large, that are medium size and that are small (such as a 1 doctor healthcare provider).  No covered entity will be exempt from the chance of being selected for a compliance audit by OCR.

     What is the purpose of these audits?  These audits precede the imminent release of the Final HIPAA/HITECH Act Privacy, Security, Breach Notification and Enforcement Rules (expected before the end of 2011) and will strengthen enforcement and accountability for compliance with existing and forthcoming Rule modifications.

     How the Audit Program will Work.  Covered entities selected for an audit will be informed by OCR of their selection and the covered entity will be asked to provide documentation (in writing) of their privacy and security compliance efforts.  Covered entities will have 10 business days to provide the requested information.  Every audit will include a site visit and result in an audit report.  OCR expects to notify covered entities selected for an audit between 30 and 90 days prior to the onsite visit.  During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.  Onsite visits may take between 3 and 10 business days depending on the complexity of the organization and the auditor’s need to access materials and staff.  OCR will then issue a report based upon the audit.

     What happens After an Audit?  Should an audit report indicate a serious compliance issue, OCR my initiate a compliance review to address the problem.  Generally, OCR will use the audit reports to determine what types of technical assistance should be developed and what types of corrective actions are most effective.

     Why the Push for Increased Audits?  The increase of 6,230,963 (for a total of 18,190,451) impacted individuals of HITECH breaches represents a skyrocketing jump of growing number of individuals affected by privacy and security breaches heightens the need by OCR to strengthen enforcement and accountability through compliance audits to ensure compliance with these Rules.

     What should a covered entity do to prepare for a potential OCR Audit and avoid the consequences (monetary penalties) for non-compliance?  To avoid the consequences of potential penalties for non-compliance, covered entities and business associates must now pay immediate attention to 1) conducting a new or reviewing an existing Risk Assessment of threat and vulnerability to Protected Health Information (PHI); 2) mitigating identified risks through privacy and security safeguard Policies and Procedures3) Training their workforce member (which includes management) to safeguard privacy and security of PHI; and, 4) Documenting those actions in writing.

 

Over 70% of Healthcare Providers Suffered Privacy Breaches

Over 70% of Healthcare Providers Suffered Privacy Breaches.

The HITECH Act – Little-Noticed Provision

Remember the HIPAA violation charge against the Alabama woman who stole PHI from more than 4,000 surgery patients at Trinity Medical Center in Birmingham, Alabama.  This case marked the first time that the DOJ has charged someone with a HIPAA violation who is not connected in any way to a covered entity.  In this case the woman is alleged to have been visiting a hospital when she took the documents.

The HIPAA charge against the Alabama woman, prior to the HITECH Act may not have occurred or may have been substantially more difficult to file.  individuals.  If convicted, this woman could be jailed for 10 years and fined $250,000 for just the HIPAA charge.  However, under the June 28 indictment there are added charges of “possessing stolen mail, attempting to commit bank fraud, misusing someone else’s Social Security number, and aggravated identity theft.” 

Prior to the HITECH Act, Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)), “Wrongful disclosure of individually identifiable health information,” read:

(a) Offense, – “A person who knowingly and in violation of this part–(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided” in later sections.

“Sec. 13409. Clarification of Application of Wrongful Disclosures Criminal Penalties,” which applied criminal penalties to individuals.  It states:

“Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) is amended by adding at the end the following new sentence: ‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.”

Prior to this change, only CEs and certain individuals working for them were directly liable for criminal charges.  The expansion not only means the outsiders can be liable, but low-level employees now can be subject to direct prosecution.

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits

HHS Appoints Contractor to Conduct HIPAA Privacy and Security Audits.

OCR Settles HIPAA Privacy and Security Case With UCLA

OCR Settles HIPAA Privacy and Security Case With UCLA.

Celebrity snooping  by employees results in stiff civil monetary penalties and a resolution agreement to University of California Los Angeles Health Services (UCLAHS).

HIPAA Notice of Privacy Practices

FREE OFFER

HIPAA Notice of Privacy Practices.

Woman Faces Criminal Charges for HIPAA Privacy Violations

Woman Faces Criminal Charges for HIPAA Privacy Violations.

Post Navigation