Archive for the ‘HIPAA’ Category

Infographic: HIPAA Healthcare Data Breaches in 2017

March 9th, 2018 by Melanie Matthews

The severity of HIPAA data breaches in 2017 might have decreased but not the number of breaches, according to a Kays Harbor Technologies analysis.

A new infographic by Kays Harbor Technologies looks at the number of reported HIPAA data breaches to the Department of Health and Human Services’ Office of Civil Rights, the number of individuals impacted by these breaches, the top breaches and predictions on the 2018 breach landscape.

2018 Healthcare Benchmarks: Telehealth & Remote Patient MonitoringArtificial intelligence. Automation. Blockchain. Robotics. Once the domain of science fiction, these telehealth technologies have begun to transform the fabric of healthcare delivery systems.
As further proof of telehealth’s explosive growth, the use of wearable health-tracking devices and remote patient monitoring has proliferated, and the Centers for Medicare and Medicaid Services (CMS) has added several new provider telehealth billing codes for calendar year 2018.

2018 Healthcare Benchmarks: Telehealth & Remote Patient Monitoring delivers the latest actionable telehealth and remote patient monitoring metrics on tools, applications, challenges, successes and ROI from healthcare organizations across the care spectrum. This 60-page report, now in its fifth edition, documents benchmarks on current and planned telehealth and remote patient monitoring initiatives as well as the use of emerging technologies in the healthcare space.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Guest Post: Are You Preparing to Fail Healthcare Compliance in 2018?

December 19th, 2017 by Tim Feldman and Darci L. Friedman

A 2018 roadmap to healthcare compliance should focus on cybersecurity, vendor management and telehealth.

As the year winds down, we see numerous lists of priorities healthcare organizations should focus on in the coming year. However, if you are looking to those end-of-year lists for guidance on what your organization should pay attention to in 2018, you are already behind. If you do find yourself playing catch-up, drafting your 2018 compliance work plan is the best place to start.

As the roadmap for your compliance efforts throughout the year, your annual work plan should indicate key high-risk areas. The Office of Inspector General (OIG) of the Department of Health & Human Services (HHS) has indicated that developing an annual compliance work plan is integral to the administration of an effective compliance program (Measuring Compliance Program Effectiveness – A Resource Guide).

The annual work plan and compliance program administration are but one portion of what is required for an organization to have a robust and effective compliance program. The required elements of a compliance program are the following:

  • Standards, Policies and Procedures;
  • Compliance Program Administration;
  • Screening and Evaluation of Employees, Physicians, Vendors and Other Agents;
  • Communication, Education and Training;
  • Monitoring, Auditing and Internal Reporting Systems;
  • Discipline for Non-Compliance; and
  • Investigations and Remedial Measures.

These elements provide a broad framework for your organization to identify risk, proactively remediate and provide a response mechanism to mitigate when there is an exposure. Working the plan and program throughout the year helps your organization achieve a state of ongoing readiness.

Cybersecurity

Cybersecurity is one item that will likely factor more heavily in your work plan, and appropriately so. Last June, the HHS Health Care Industry Cybersecurity Task Force released a report on improving cybersecurity in the industry. The Task Force concluded that cybersecurity, at its core, is a patient safety issue and a “public health concern that needs immediate and aggressive attention.”

Some of the areas to address in the broader realm of cybersecurity include:

  • Ransomware;
  • Email security, including phishing;
  • Internet of Things (IoT) and devices;
  • Bring your own device (BYOD); and
  • Medical identity theft.

As the Task Force report notes, cybersecurity must be thought about across the continuum of care in your organization. Work to shift the culture and thinking that cybersecurity is simply a technology issue, of concern only to the IT department.

Do this by implementing policies and procedures for key cybersecurity issues and then communicating them across the organization. Follow that with training, including everyone in your organization, from staff to board members. The training should: define cybersecurity; explain how it may manifest in the organization, and address your policies and procedures, making it evident to all what they can and cannot do and how to respond.

Third-Party Vendor Management

The outsourcing of services to third-party vendors is increasingly common and for good reason. Such relationships offer great benefits, but at the same time, these relationships also carry legal, financial, reputational and compliance-related risks. Here are seven questions to evaluate your third-party vendor relationships:

  • Does your organization, as a covered entity (CE) under HIPAA, have a vendor compliance program to help you identify, manage and report on these risks?
  • Do you review and assess your vendors’ risk profile?
  • Are you familiar with each vendor’s hiring practices?
  • Do you know which vendors’ products connect to other IT systems that contain critical data, including protected health information (PHI)?
  • Do you have insight into each vendor’s information security and data privacy capabilities?
  • Do you know with which vendors you have a business associate agreement (BAA)?

For many healthcare organizations, the answer to several of these questions is likely “no,” which creates risk for those organizations. The OIG’s position is clear: healthcare entities have a responsibility to proactively identify, assess and manage the risks associated with their vendor relationships.

All vendors are NOT created equal. A good starting point in managing an effective and efficient third-party compliance program is to perform a risk-ranking of vendors based on their access to critical assets or information. By segmenting your vendor population into “risk tiers” you can focus limited resources on the most serious exposures.

Components of third-party compliance assessment should include, among other things:

  • Due diligence (background, reputation, strategy);
  • Knowledge of, and compliance with, security and privacy requirements;
  • Operations and internal controls (policies and procedures);
  • Workforce controls, background and exclusion checks; and
  • Training and education.

And, of course, with every vendor that meets the criteria of a Business Associate, ensure that a written BAA is in place. BAAs can be complex and are often daunting, but they must be carefully negotiated and acknowledged by both parties.

By ensuring your vendors have strong compliance programs in place and that they are following through on the BAA requirements, your organization is meeting its compliance obligations and doing its best to minimize its risks.

Telehealth

The compliance concerns related to the delivery of care via telehealth are numerous and include the following:

  • Licensing;
  • Credentialing;
  • Security;
  • Regulatory requirements for billing; and
  • Fraud and abuse.

An area to focus some attention on is payment under federal healthcare programs. The OIG currently has two active work items on telehealth, one for Medicaid and one for Medicare. Both of the items relate to the propriety of payment for telehealth services.

If your organization provides telehealth services, consider conducting a risk assessment to determine if you have any exposure in the area. Risk assessments are not strictly one of the 7 required elements of a compliance program, but they are often referred to as the “8th Element” given the focus on them in the Federal Sentencing Guidelines and OIG documents.
Risk assessments, along with the other elements of a compliance program, provide your organization the means to identify, prioritize, remediate and/or mitigate the myriad on-going risks it will encounter. If you are not working your compliance program and specific risk areas throughout the year, you are failing to adequately prepare for an event. By failing to prepare, as one wise man said, you are preparing to fail.

About the Authors: Tim Feldman is Vice President and General Manager of Healthcare Compliance & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. He oversees product development across a vast suite of practice tools and workflow solutions to help professionals stay ahead of regulatory developments and effectively manage compliance activities. Darci L. Friedman, JD, CHPC, CSPO, PMC-III, is the Director of Content Strategy & Author Acquisitions for Healthcare Compliance, Coding & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. She is responsible for supporting the overall strategy for developing new content and features, innovating new product models, and recruiting top content contributors.

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.

Infographic: 5 Questions Patients Should Ask About Healthcare Information Security

September 8th, 2017 by Melanie Matthews

Patients need to understand the information security protections by their healthcare providers, according to a new infographic by ISACA.

The infographic outlines a few questions that patients can ask of their providers to ensure that those organizations are applying
appropriate and diligent stewardship of the data that they hold in trust.

UnityPoint Health has moved from a siloed approach to improving the patient experience at each of its locations to a system-wide approach that encompasses a consistent, baseline experience while still allowing for each institution to address its specific needs.

Armed with data from its Press Ganey and CAHPS® Hospital Survey scores, UnityPoint’s patient experience team developed a front-line staff-driven improvement action plan.

Improving the Patient Experience: Engaging Front-line Staff for a System-Wide Action Plan, a 45-minute webinar on July 27th, now available for replay, Paige Moore, director, patient experience at UnityPoint Health—Des Moines, shares how the organization switched from a top-down, leadership-driven patient experience improvement approach to one that engages front-line staff to own the process.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Guest Post: 5 Legal Considerations for Maximizing Telehealth Security

May 25th, 2017 by Ammon Fillmore and Mark Swearingen
Patient privacy and data security are key telehealth concerns providers must address.

Patient information privacy and security are key telehealth concerns for healthcare providers.

Telehealth is one of the fastest growing and developing areas of healthcare today. With this rapid growth come many questions and concerns that arise when legal and regulatory schemes are not able to keep up with the pace of development. One such concern is the legal and regulatory issues relating to the privacy and security of telehealth services. Telehealth services can be provided securely, but specific attention must be paid to information and application security in order to protect patient privacy and comply with laws such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

Healthcare provider executives who currently offer, or are considering offering, telehealth services to their patients should give attention and appropriate resources to the following areas in order to maximize the organization’s security posture and operational efficiencies.

Arrangement Structure

One of the primary decisions for a healthcare provider organization to make with any telehealth arrangement is whether the organization will provide the telehealth services itself or in collaboration with a third party. Many considerations will be part of this decision, but information privacy and security should be one of them. An organization should only consider providing telehealth services on its own if it can dedicate sufficient resources and personnel to establishing and maintaining the secure transmission and storage of patient information. Only an organization with a competent and established information technology staff should consider providing telehealth services in this manner.

If an organization chooses instead to collaborate with a third party to provide telehealth services, there are several third parties with whom the organization can collaborate to provide those services securely. Those third parties can provide anything from equipment only to a full range of services, including digital infrastructure and professional physician services. When a third party is involved, the organization must also consider how to structure the arrangement for purposes of HIPAA, including determining whether the third party will be a business associate of the organization or whether the organization and the third party will function as a single Organized Health Care Arrangement (“OHCA”) under HIPAA. These decisions will impact how information flows between the parties and who is responsible for securing that information.

Contractual Protections

Responsibility for securing information where the provider organization collaborates with a third party will be governed by the operative agreements between the parties, including the Business Associate Agreement, where applicable. Provider organizations should be sure that the agreements detail the third party’s security-related obligations and establish the third party’s responsibility for failing to meet those obligations. The operative agreements also should contain sufficient representations and warranties of the third party’s security posture, including the technical specifications that the third party will implement in order to safeguard patient information. Equally important is making sure that the operative agreements include sufficient assurances that patient information will be accessible to the appropriate healthcare provider.

Technical Specifications

Telehealth arrangements will differ in the precise technical specifications that the parties implement to safeguard patient information. However, certain technical specifications are broadly applicable and can significantly reduce security risks. One example of such a specification is the use of encryption technology. Encrypting patient information, both while stored on computer systems and during transmission between systems, is an effective means of safeguarding the information from unauthorized third parties and preventing breaches from occurring. Another such specification is authentication of the participants in a telehealth encounter, the clinicians and patients themselves. It is important that technological measures are implemented to ensure the identity of both the clinicians and patients so that all parties can have confidence that the individuals involved in the encounter are actually who they appear to be. Provider organizations should strongly consider implementing such technologies in any telehealth services arrangement.

Security Awareness

Even the best technical safeguards can be compromised by human error, so it is imperative that effective security awareness training be provided both to workforce members as well as patients. Workforce members who participate in telehealth services arrangements must be made aware of their obligations to protect the privacy and security of patient information under their organization’s policies and procedures and be sanctioned when a violation occurs. Likewise, patients should be provided with information about the security risks present in telehealth arrangements and advised of the steps they can take to mitigate those risks.

Security Risk Analysis

Provider organizations are required under HIPAA to periodically perform an enterprise-wide security risk analysis and to take steps to remediate any risks that are identified. The failure to do so can result in substantial fines and penalties to a provider organization. An enterprise-wide risk analysis considers not only the electronic health record but also any system or equipment that contains electronic patient information, which would include equipment and systems utilized in providing telehealth services. Accordingly, provider organizations should be sure to include telehealth systems in their risk analysis, including those utilized by a third party service and to address any identified risks and vulnerabilities in a timely fashion.

This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact Ammon Fillmore at (317) 977-1492 or afillmore@hallrender.com or Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com.

About the Authors: Ammon Fillmore and Mark Swearingen are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest healthcare-focused law firm in the country. Please visit the Hall Render Blog for more information on topics related to healthcare law.

Mark Swearingen

Mark Swearingen

Ammon Fillmore

Ammon Fillmore















HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.

Infographic: Healthcare Data Breaches in 2016

February 20th, 2017 by Melanie Matthews

Data breaches in the healthcare industry are increasing every year at an alarming rate, according to a new infographic by Kays Harbor.

In 2016, there were a total of 326 breach incidents, according to the United States Office of Civil Rights. The number of breach incidents is increasing despite awareness, HIPAA regulations, guidelines and strict measures to protect patient privacy.

The infographic drills down on the breaches that occurred in 2016 and how to minimize the risk of a breach this year.

Healthcare Data Breaches in 2016

HIPAA Training for Employees DVD
HIPAA Training for Employees DVD provides training on the following: privacy rule basics; use and disclosures; patient rights; employee behaviors to safeguard patient information; security rules; safeguards to protect patient information electronically; HITECH; breach identification and notification; enforcement; and level of fines.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: Patient Communication Compliance

January 11th, 2017 by Melanie Matthews

Communication with current and potential patients is pivotal to maintaining and growing your practice, but your practice must ensure that you are compliant in all of your communication points with HIPAA, FDA and FTC rules, according to a new infographic by Response Mine.

The infographic touches on all points of patient communication—from digital advertising and marketing to scheduling appointments and patient reminders—to help practices protect patient information and stay compliant.

Patient Communication Compliance

Framework for Patient Engagement: 6 Stages to Success in a Value-Based Health SystemIntermountain Healthcare’s strategic six-point patient engagement framework not only has transformed patient care delivered by the Salt Lake City-based organization but also has fostered an attitude of shared accountability throughout the not-for-profit health system.

Framework for Patient Engagement: 6 Stages to Success in a Value-Based Health System details Intermountain’s multilayered approach and how it supports its corporate mission: Helping people live the healthiest lives possible.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: Is Your Healthcare Data Safe?

December 12th, 2016 by Melanie Matthews

Data loss from U.S. hospitals, urgent care centers, dental practices and clinics is reaching epidemic proportions, according to a new infographic from safetica. Last year the confidential records of one-in-three healthcare patients in the United States were compromised. But what are the costs and causes of data breaches—and how can they be prevented?

The infographic examines the impact of data breaches, the cost of a data breach and a checklist to compare your organization’s data security practices against recent HIPAA case law.

Is Your Patient Data Protected?

2016 Healthcare Benchmarks: Data Analytics and IntegrationThe 2016 Healthcare Benchmarks: Data Analytics and Integration assembles hundreds of metrics on data analytics and integration from hospitals, health plans, physician practices and other responding organizations, charting the impact of data analytics on population health management, health outcomes, utilization and cost.

2016 Healthcare Benchmarks: Data Analytics and Integration examines the goals, data types, collection processes, program elements, challenges and successes shared by healthcare organizations responding to the January 2016 Data Analytics survey by the Healthcare Intelligence Network. Click here for more information.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today. Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: Cyber Attacks Hit Healthcare

April 4th, 2016 by Melanie Matthews

The healthcare industry is under pressure to advance its use of technology to control costs, digitize patient information and streamline operations. But with significant increases in cyber attacks and the sensitive nature of healthcare data, security is a growing concern, according to a new infographic by ESET.

The infographic examines: which threats healthcare organizations fear most; how healthcare breaches affect consumer behavior; and what security solutions are most effective.

Covered Entity Manual Covered Entity Manual is a template-style download manual that can be easily adapted to align with your compliance needs as a covered entity. All content complies with the Omnibus Rule.

Covered Entity-Specific Manual provides you with a generic, comprehensive set of policies and procedures: 33 privacy policies; 30 security policies; 6 policies that address common requirements of both the privacy and security rules; 1 breach notification policy; and 12 forms and templates, including a notice of privacy practices.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: HIPAA Physical Safeguards

January 27th, 2016 by Melanie Matthews

Physical safeguards are set of rules and guidelines that outline how the physical storage and access to protected health information should be managed under HIPAA security rules, according to a new infographic by Vigyanix.

The infographic details the Physical Safeguard requirements for facility access controls, workstation use and security and device and media control.

Business Associate ManualBusiness Associate Manual is a template-style manual that can be easily adapted to align with your compliance needs as a business associate (BA). All content complies with the Omnibus Rule.

Specifically developed to help BAs meet complex privacy & security compliance requirements. The Business Associate Manual includes: 6 privacy policies; 30 security policies; 6 policies that address common requirements of both the privacy and security rules; 1 breach notification policy; and 4 forms and templates.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: The Year of the Healthcare Data Breach

January 1st, 2016 by Melanie Matthews

The healthcare industry has become a high-profile target for cyber criminals. For the first half of 2015, healthcare ranked #1 in terms of notable incidents of records compromised, with nearly 34 percent of all records compromised across all industries, according to a new infographic by IBM.

The infographic looks at the impact of healthcare data breaches and why healthcare data is so valuable.

Business Associate ManualBusiness Associate Manual is a template-style manual that can be easily adapted to align with your compliance needs as a business associate (BA). All content complies with the Omnibus Rule.

Specifically developed to help BAs meet complex privacy & security compliance requirements. The Business Associate Manual includes: 6 privacy policies; 30 security policies; 6 policies that address common requirements of both the privacy and security rules; 1 breach notification policy; and 4 forms and templates.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.