HIPAA Compliance: A Printable Telephone Checklist

Complying with HIPAA can be painful, especially for a small medical office. It gets all the more painful when you have to make a phone call. Here is a quick checklist to print off and put by the phone when handling phone calls:

Do You Have Privacy?:
If there are patients or others hanging around who can overhear the conversation or possibly see the records on your computer screen, you should not be giving out private health information verbally over the phone. Make sure the office is set up to allow for phone call privacy when discussing HIPAA protected information.

Use Three Identifiers for Verification:
You need to verify three different identifiers as an ID check before giving out any information. In addition to the name, you can use identifiers such as address, phone number, last four numbers of the social security number or date of birth.

Minimum Necessary Rule:
Only give as much information as is absolutely necessary to handle the issue, such as giving the insurance company enough information to pay the claim. Do not volunteer additional information beyond that.

Last Four Only:
Do not give out the entire Social Security Number over the phone. Use the last four numbers only.

Make Sure You Log the Call:
Make a brief note in the records. List date and time, who called, why they called, and what information was given to them, if any, and who in the office handled the call.

It is legal to give out health information over the phone for purposes such as getting an insurance claim paid or collaborating with another health care provider to get the patient appropriate care. It is not unusual for insurance companies to need to verify a date of service or an exact procedure. Refusing to answer such questions by phone can unnecessarily delay payments.

Although it is legal to give information by phone to parties who have a legitimate right to it, phone calls still need to be handled in a HIPAA compliance checklist manner. Protect yourself: Print out the above checklist and stick it near the phone today.

Who is a Business Associate?

In today’s society, the protection of personal information has become more important than ever. This has been especially true with health care information, which has experienced huge problems with security breaches and other lapses in judgment from employees. However, with the HIPAA Privacy Rule that is now in effect, much more emphasis is now placed on ensuring only those who are authorized to access sensitive information can do so. But while in many instances it is easy to know who should have that authority, in other circumstances the lines may be blurred. Therefore, it’s important to know exactly who meets the criteria of a Business Associate.

When deciding who qualifies as a Business Associate, the answer often lies in the type of data they interact with and other business they do on behalf of a Covered Entity. In most situations, a healthcare provider deals with many people who are thought of as Business Associates. However, the question that must always be asked is whether the disclosure of “individually identifiable health information” is necessary in order to deliver a product or service either to or on behalf of the Covered Entity.

In addition to this, a Business Associate Compliance is defined as someone who performs or assists in functions or activities which involve the use or disclosure of sensitive health information. Examples of this can include claims processing, data analysis, benefit management, quality assurance, billing, and practice management. Along with these functions, a Business Associate is also defined as someone who performs high-level functions within accounting, administration, financial services, accreditation, consulting, legal, or data management.

By following these guidelines, many people who originally may not have thought of themselves as Business Associates come to find that they are indeed just that. Examples of this include attorneys and accountants, who regularly interact with health care providers and are involved in work that requires the disclosure of individually identifiable health information. So while some experts see these rules as creating too many people who must be concerned with compliance, others view it as a step toward ensuring the medical information of patients stays secure.

40.869235 -73.365660

HIPAA Risk Assessment – The Required Steps What is HIPAA?

President Bill Clinton enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. This legislation was put into place to protect the individually identifying information of patients. This created a set of national standards as to how this information must be secured and mandated the protocol for notifying patients of potential security breaches that could affect the integrity of the confidentiality of their information. There are some exceptions in which a patient’s information must be released, such as:
•    To comply with a court order
•    To locate a fugitive or other legally wanted person, such as a witness
•    To report a crime
•    To report abuse or neglect

What’s in a HIPAA Risk Assessment?

HIPAA compliance participation is mandated by the Department of Health and Human Services (HHS). A process that is known as a HIPAA risk assessment must be completed as proof that any health-related service is taking the necessary steps to ensure the proper handling of all protected health information or PHI. The nine standards dictated by the HHS that must be reported upon are:
•    Scope of analysis – All media and documents must be examined for potential vulnerabilities, including: laptops, hard drives, paper handling or networks.
•    Data collection – Practices for where patient information ends up after being gathered and the storage methods are examined.
•    Identifying potential threats or vulnerabilities – Possible weaknesses in networks, data transportation or storage must be considered from all aspects.

•    Assessment of current security measures – Encryption and user authentication must be evaluated for protective efficacy.
•    Predicting the likelihood of a threat occurring – Considering potential risks or weaknesses in both analog and digital methods of dissemination, storage and transportation must be considered as a kind of risk analysis.
•    Projected impact of a threat – A mock-up of the worst-case scenario should be considered, taking into account the maximum amount of people affected, data that could be breached and insurance and billing impacts.
•    Level of overall risk for security breach – Implementing HHS standards, the likelihood of threats occurring and the projected severity of impact should be determined and accompanied by mitigation plans.
•    Finalized report – An organized document must be submitted to the HHS, although no standard formatting exists.
•    Periodic reviews and updates – The HHS doesn’t dictate specific timelines for periodic reporting, but anytime new technology or business practices are added, a fresh assessment should be performed.

40.869235 -73.365660

HIPAA Risk Assessment

HIPAA stands for Health Insurance Portability and Accountability Act. Basically it is a federal law that protects individuals’ health care information and restricts access to the information except where allowed by law. Any company that deals with information regarding individuals’ health and personal information needs to be in compliance with HIPAA. In an effort to assist companies that deal with personal health information, certain safeguards have been created. The HIPAA risk assessment is a set of questions that assess a company’s risk to leaking clients’ private information that has been protected by law.

There are nine necessary steps to risk assessment: scope of analysis, data collection, identifying and documenting potential threats and vulnerabilities, assessing current vulnerabilities, assessing current security measures, determining likelihood of a threat occurrence, determining level of risk, finalizing documentation, and periodic review and updates to risk assessment. Potential vulnerabilities within the network’s system are identified and plans are put into place to quickly resolve any compromised situations. The risk assessment also looks at what kind of information you are collecting and where it is going. Everything must be HIPAA compliant to ensure individuals’ privacy. How your data is protected is important for your safety and privacy. There are many security measures that can and should be taken to protect information, whether it is for virtual information such as encryption and passwords or physical safeguards such as locks.

Knowing potential risks and the level of them enables companies to be more defensive in protecting themselves again information leaks. Documenting everything and remaining current on modern technology allows a company to stay on top of their risk assessment and alter their policies and systems to reflect new risks. Following the guidelines and remaining in compliance with HIPAA is the best way to keep clients’ information safe.

40.869235 -73.365660

Know About Business Associate Compliance

Due to the increasing emphasis on HIPAA privacy regarding Protected Health Information (PHI), Covered Entities are pressured to confirm that vendors or contractors requiring access to health records use the information responsibly. These vendors or contractors are called “Business Associates,” and many companies and vendors fall into this category. However, most people are unsure of who or what is considered a Business Associate when accessing medical records.

Types of Business Associates

Some of the most common business associates compliance include medical claims processing services, utilization review consultants, medical transcriptionist services as well as independent contractors, and attorneys or Certified Public Accountants who are providing litigation services. All of these businesses or organizations, regardless of why they need access to the records, are held to very strict HIPAA privacy guidelines that must be adhered to whenever a patient’s record is accessed. Otherwise, they are in violation of the HIPAA Privacy Act and can be subject to various aspects of financial penalties or litigation.

Non-Business Associates

Typically, there are individuals or organizations that are considered non-Business Associates. These can include delivery services such as the United States Postal Service or private delivery companies such as United Parcel Service, both of whom are considered only conduits for data. Other examples include physicians working with a health plan, in which both are considered Covered Entities and assume responsibility independently of one another; telecommunications relaying services for hearing-impaired patients, which act merely to facilitate doctor-patient communication.

While these are examples of what is considered a Business Associate and what is not, circumstances can occur, that may alter the relationship one way or another. Regardless of the circumstances, an organization’s liability in the event of a data breach does not stop simply within one’s facility. Instead, it is each organization’s responsibility to safeguard the security of patient’s PHI as much as possible. Otherwise, serious lapses in security may occur, and the integrity of the facility and its Business Associate relationships may be questioned.

40.869235 -73.365660

Business Associate Compliance Requirements Bolster HIPAA Privacy Protections

Among the intentions behind the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was safeguarding the protected health information (PHI) of every American. To that end, health care professionals who electronically transmit any patient care information, health insurance professionals and individuals who work at health care clearinghouses became known under the law as “Covered Entities.”

As Covered Entities, these individualsface monetary penalties for violating any provisions of HIPAA business associate compliance. Violations can range from the more routine, such as failure to achieve compliance due to incomplete risk assessments, to the very severe, such as a breach of private health data. According to the United States Department of Health and Human Services (HHS), 70 percent of the organizations subject to HIPAA compliance requirements fail to satisfy standards under the law.

As of January 2013, the release of the HIPAA Final Rule on Privacy and Security by HHS upped the ante by subjecting Business Associates and subcontractors to the same compliance liabilities (and the potential penalties for non-compliance) as the Covered Entities they work with.

The changes certainly present new challenges in the health care industry, especially for those organizations that were already struggling to satisfy the compliance regulations as they were originally introduced in 1996.

Making the effort to ensure all business associates and their subcontractors are in compliance and understand the potential consequences of failing to do so benefits all involved. For Business Associates and subcontractors, they can work confidently knowing they reduce the risk of facing fines as high as $50,000 per violation as a result of a non-compliance issue. This will also help to keep existing, positive business relationships intact.

40.869235 -73.365660

Know About Business Associate Compliance

The Health Insurance Portability and Accountability Act (HIPAA) has undergone multiple changes over the past few years; one of the more notable changes was the final release of the Omnibus Rule in 2013. Based on this final rule, a Business Associate is now held to the same standards and requirements of HIPAA compliance as a Covered Entity. The Department of Health and Human Services (HHS) defines a Business Associate as any individual or organization who has access to Personal Health Information (PHI) and performs services on behalf of a Covered Entity. Under the Omnibus Rule, Business Associates are now liable for any HIPAA breach and they are subject to the same fines or penalties as a Covered Entity.

To insure compliance between Business Associates and Covered Entities, the business associate compliance Agreement is necessary to provide the protection of PHI and to defend against any breach, which may lead to a costly audit and potential fines. HIPAA law outlines specific components to be included in a basic Business Associate Agreement, such as establishing allowable uses and disclosures of PHI, a guarantee from the Business Associate to insure unauthorized use or disclose of information does not occur, and the assurance a Business Associate will implement safeguards to protect PHI. Other responsibilities for the Business Associate include providing information to individuals in accordance with HIPAA regulations and application of any amendments to HIPAA law, as well as adherence to the HIPAA Security Rule and Privacy Rule.

A Business Associate must maintain documentation to provide reports for auditing purposes and they are required to provide records regarding their internal practices. With these new responsibilities for Business Associates, it is becoming more important for these organizations to employ the services of companies who specialize in HIPAA compliance, as well as providing web hosting and software applications to assist with compliance needs. The Omnibus Rule has created a need for Business Associates to more carefully manage their agreements with Covered Entities and subcontractors, establish self-auditing practices, develop a risk assessment and management plan, and maintain documentation for use and disclosure tracking. The Business Associate who can demonstrate their HIPAA compliance will prove more success in today’s market.

40.869235 -73.365660

Top 14 Tips to Achieve HIPAA Compliance for MSP’s

Health Insurance Portability and Accountability Act (HIPAA) Compliance can seem to be an overwhelming concept, especially since non-compliance can attract hefty fines depending on the gravity of the infraction. It is a smart move for health providers to train or hire a HIPAA specialist who enforces the security standard and oversees the handling of patients protected health information (PHI), together with HIPAA compliant email communication. However, it is still vital for health professionals to learn the fundamentals of the standards of staff compliance in relation to the HIPAA Security Rule. Therefore, ensure your staff follows the following procedures. Because of this Covered Entities are turning to their MSP’s for answers in regards to HIPAA compliance.

Though this will not make you completely compliant in regards to HIPAA Compliance here are a few struggles and tips to becoming HIPAA compliant.

1. Health practitioners must provide adequate training programs to their administrative employees on handling PHI.

2. Ensure you don’t share sensitive information with people who are not authorized to access it, including personal acquaintances or co-workers.

3. Never access patients’ records unless you need them for your work, or with a written authorization from the patient.

4. Avoid occurrences of others overhearing patients’ information and don’t mention a patient’s full names near other people.

5. This article on HIPAA compliance for MSP’s recommends that you secure documents containing PHI in a locker when they are not in use. Cover the charts to ensure a patient’s name is invisible and never leave patients’ records unattended.

6. Exit computer programs that are running a patient’s record information when not in use. Use management systems with automatic timeout settings in this regard.

7. Ensure you don’t send PHI by email unless you cannot avoid it. And when you do, use HIPAA compliant email services.

8. Back up all your disks containing PHI. Using an HIPAA-compliant cloud server to store patients’ information is safer than storing it on a local server or paper in case of data loss due to natural or man-made disasters.

9. Assign specific people different security clearance. This prevents employees from seeing or altering information that doesn’t pertain to their duties.

10. Don’t share passwords with your staff members. The HIPAA specialist should assign each authorized employee a particular password.

11. If you need to dispose properly of information that contains PHI, shred the papers using a shredder.

12. Ensure that your computers have updated antivirus software installed. This will ensure that your records are protected against malware that may put your information at risk.

13. It is also important to ensure that vendors or other business affiliated with you are also keeping proper HIPAA standards as well.

14. Create a catalog of all components of your information system that interact with protected PHI in your office. This will help you to assess the security risk of your office and in turn help you to seal the security loopholes.

HIPAA rules are ever changing, and so you should always be informed to keep up with the new technology. The Compliancy Group offers a HIPAA compliance software that will allow MSP’s, Business Associates and Covered Entities to complete all the necessary steps to become and remain HIPAA compliant quickly and easily.

40.869235 -73.365660

Get to Know About Business Associate Compliance

The Health Insurance Portability and Accountability Act (HIPAA) allow Covered Entities the option to utilize Business Associates: a relationship that is governed by the HIPAA Privacy Rule. According to the Department of Health and Human Services (HHS), a business associate is a person, company or organization that performs services on behalf of a Covered Entity and has access to Personal Health Information (PHI). The business associate agreement is an essential document to help ensure the proper handling of PHI by an associate.

The purpose behind the Business Associate Agreement is to outline the specifics regarding use and disclosure of PHI. Permissible uses and disclosures are determined by the relationship between the Covered Entity and the Business Associate and takes into consideration the services performed by a contracted company. Since the Business Associate handles PHI, they are bound by the same HIPAA rules as a Covered Entity, and are liable for any unauthorized use or disclosure of PHI. If it is determined a business associate was responsible for unauthorized use or disclosure of any PHI, the company could be subjected to civil or criminal penalties.

HIPAA law has established specific features to be included in a basic business associate agreement. An agreement must establish the allowable uses and disclosures of PHI based on the services a business associate compliance will perform for the Covered Entity. The agreement will also include documentation guaranteeing a business associate will not use or disclose information for purposes other than what is defined in the contract or under law. A contracted company is also required to implement safeguards to protect PHI as outlined by the HIPAA Security Rule. In addition, a business associate is responsible for providing information to an individual in accordance with HIPAA guidelines, maintaining any amendments or updates to HIPAA requirements and adherence to the HIPAA Privacy Rule.

A company who enters into a contract with a Covered Entity must maintain documentation for reports and auditing purposes. They are also required, when asked, to provide documentation regarding their internal practices. In addition, an agreement applies to any subcontractors who may be employed by a business associate, and ensures they are following the same restrictions and guidelines set forth in the contract. Finally, the agreement should outline the terms for termination of the contract should the business associate or subcontractors violate any portion of the agreement.

Any Covered Entity who utilizes the services of a business associate must employ a business associate agreement to ensure HIPAA regulations are being followed. The Privacy Rule sets the standards for business associate agreements to ensure compliance with HIPAA law. Sample agreements can be found on the HHS website.

40.869235 -73.365660

Facts about HIPAA compliance software

Organizations responsible for the security of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) can implement software to attain compliance. Implementing the appropriatesoftware will not only ensure compliance but also drastically reduce the time required.Using HIPAA compliance software allows covered entities to maintain HIPAA, HITECH, and Omnibus compliance while avoiding the high cost associated with an audit. When a company uses the appropriate software, the daily management of HIPAA compliance can be affordable and flexible.

Any software that collects, stores, or shares PHI with an organization should include safeguards to protect data. HIPAA compliance software must adhere to the Privacy and Security Rules of HIPAA, due to the inherent dangers of handling PHI. One of the basic functions of HIPAA compliance software is secure access to PHI via unique user authentication. An essential element is the encryption of data. Additional functions include regular safety updates (which provide protection from any breach), the ability to audit data and ensure it has not been accessed or modified in any unauthorized way, and data backup.

Since there is no safe harbor clause for HIPAA, it is important to find third party file storage and hosting platforms that explicitly state they are HIPAA compliant. Building your own HIPAA compliance infrastructure is costly and time consuming. It will require ongoing expenditures to maintain, due to HIPAA law changes, updates and auditing. HIPAA hosting and compliance utilizes website applications or data storage and hosting services to comply with the physical safeguard requirements of the HIPAA Security Rule.

PHI must be stored in a compliant environment; therefore, using software and web-based applications can guarantee proper management and handling of PHI. Physical safeguard requirements of the Security Rule are also addressed with compliance software. The implementation of network and application security best practices will protect a hosting environment. A good infrastructure design eliminates all single point of failures, and the use of multiple servers provides essential backupshould a server crash. High availability and redundancy of data are crucial to HIPAA compliance infrastructures.

HIPAA compliance software delivers essential protection for any organization responsible for the security of documentation protected under HIPAA guidelines. Using third party file storage and hosting services will provide cost-effective solutions for HIPAA compliance.