HIPAA Certified Does Not Mean You Are Compliant. Being HIPAA certified means that you have successfully undergone a course designed to train and teach you the information you need to enable your business or organization to become HIPAA compliant. It does not mean that you are compliant, but that you have been taught the terms…
HIPAA Compliance Requirements To be HIPAA compliant essentially means that an entity or office is cooperating with and following the laws set forth by Congress in all three waves of HIPAA legislation. The government has mandated that all “covered entities” must meet HIPAA Compliance specifications. These so-called “covered entities” include practitioners and their offices, health…
HITECH Act Summary Definition The HITECH Act came into being because of the increasing use of technology. The acronym stands for Health Information Technology for Economics and Clinical Health Act – a perfect example where the name of the legislation was obviously devised after the acronym! Notwithstanding that, it is a powerful piece of legislation…
The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are necessary. Google’s Business Associate Agreement, introduced in September 2013, offers HIPAA compliant online services for covered entities.
Online Security: Google’s Business Associate Agreement
Many healthcare businesses use Google Business Apps. Google Business Apps are cloud-based software-as-service (SaaS) where small businesses have access to a suite of Google services such as Gmail, Google Calendar, Docs, Drive (storage), Apps etc. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication. But despite these foundational precautions, not all components of GBA have a level of security necessary for HIPAA compliance.
Enter Google’s Business Associate Agreement (BAA). Google’s Business Associate Agreement provides an additional layer of online safety by offering HIPAA compliant security for users of Google Apps Vault, Gmail, Google Calendar, and Google Drive. Businesses that opt for this agreement are precluded from using any of the other services in the Google Business Apps package (such as Google Docs, Hangouts, Marketplace, websites, etc), under the domain registered with and covered by Google’s Business Associate Agreement. Google’s BAA guidelines state “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.” The agreement requires that HIPAA covered businesses sign up for a Google Apps for Business Administrator account.
Training Reduces Human Errors
In addition to having the best online security, complete compliance requires implementation of solid procedures and policies, which includes training for staff members to prevent human errors. The Privacy and Security Rules require that healthcare businesses educate and train workers regarding policies and procedures for HIPAA compliance. Training requires experience and specialized knowledge that even the most advanced healthcare executive may not have.
When evaluating HIPAA training services, make sure the company you choose provides a complete HIPAA training package and is knowledgeable about online security strategies. Training should be affordable, but also useful in other ways. For example, HIPAA training that offers CME and CEU credits is a good way to maintain compliance with HIPAA law while helping your employees maintain valuable credentials.
The post Gmail, Google Apps for Business HIPAA Business Associate Agreements appeared first on HIPAA.com.
Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.
The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.
The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:
- The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
- The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
- The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.
However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.
A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.
Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.
The Health Insurance Portability and Accountability Act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:
Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.
Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.
Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.
Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice-versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.
Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.
Ever since HIPAA Privacy Rules became finalized law in 2003, many healthcare practices have been anxious and fearful of penalties should they interpret the law incorrectly and be out of compliance. Non-compliance fines can be hefty, so it is understandable why many providers practice with apprehension.
HIPAA rules have brought a needed awareness for patient privacy, but at the same time much of the law is hazy with areas often needing legal interpretation. According to Ronald B. Sterling, MBA, a health technology consultant, “A lot of people overthink HIPAA and take it to extremes.” (1) When the law is unclear and healthcare professionals are worried about self-protection, staff members tend to go overboard when interpreting the rules. And the office philosophy becomes if we want to be safe and stay compliant, we can’t tell anyone anything! Hospitals also have this mindset created by overzealous risk managers and lawyers. The doctors with privileges at these institutions take this viewpoint back to their practice as the safe hospital-endorsed thing to do.
Interpretation errors, even when on side of caution, aren’t necessarily good for the patients and can actually infringe upon their rights. And, the “don’t tell anyone anything” concept is keeping information from people who need and deserve to be informed.
Medcape reported that at a congressional subcommittee hearing on HIPAA last April, Carol Levine from the United Hospital Fund testified that when she took her sister to the emergency room with severe abdominal pain, even though her sister asked her to stay with her in the room, a triage nurse said, “You can’t come with her. It’s a HIPAA rule.” When her sister replied, “But I want her with me,” the nurse responded, “no way.” (1) Congressman Tim Murphy also testified at that hearing and spoke of provider anxiety by saying, “Fearful of new penalties for violating HIPAA, doctors and nurses were refusing to even talk about a patient’s illness with caretakers, all of whom were [professional] caretakers, spouses, siblings, or those managing the affairs of their elderly parent.” (1)
These are examples of how incorrect versions of this law can actually work against the people it was designed to protect, the patients. Withholding information does not protect anyone and is a violation of the patient’s rights. There are numerous resources available to help healthcare professionals understand this law. While some questions can be answered quickly by accessing the U.S. Department of Health and Human Service’s website, the best protection comes from thorough HIPAA training. (2)
Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements? Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?
Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.
Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?
Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.
The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online HIPAA training programs that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.
Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.