Category: Compliance
HIPAA Compliance is Not A Choice
|
The HHS Office for Civil Rights (OCR) just sent another clear message: HIPAA compliance isn’t optional no matter your practice size. The OCR has reached a resolution with Vision Upright MRI, a small California imaging provider, after a breach of unsecured protected health information (PHI) impacted 21,778 patients. The breach originated from an unsecured server that housed radiology images and lacked proper risk analysis, audit controls, and breach notification procedures. What happened:
As a result, the total settlement cost was a $5,000 fine plus 2 years of monitoring in addition to mandatory corrective actions including:
Why this matters to you:Whether you’re a solo provider or part of a large system, OCR expects every HIPAA-covered entity to:
|
Mandated CME Requirements Are Shifting
A recent reorganization of Texas Medical Board (TMB) rules has removed certain universal CME obligations. The removal of universal CME requirements could result in a lighter load for physicians but may make it more challenging to determine what is required and when.
Please click the button below to view the entire article from Texas Medical Assocation.
Exclusion Review (HOW TO)
Part 3 of 3: System for Award Management Report (SAMS)
This one is a little bit tricky. If you need help, please give us a call.
Exclusion Review (HOW TO)
Part 2 of 3 Exclusion Review: Texas Office of the Inspector General
Exclusion Review Part 1 of 3
Texas Office of Inspector General (OIG) Exclusions
Don’t forget to retain searches for 10 years.
Exclusion Review
There are three (3) websites you are required to search before hire and monthly thereafter.
POET has tried to put together a step by step instruction to help you navigate each one. Today is:
PART 1 of 3: Office of the Inspector General (OIG)
What is the Security Rule Anyway?
The Security Rule specifically sets out to ensure the “confidentiality, integrity,
and security” of electronic protected health information (ePHI). What does that mean?
• Confidentiality: ePHI is not available or disclosed to unauthorized persons.
• Integrity: ePHI is not altered or destroyed in an unauthorized manner.
• Availability: ePHI is accessible and usable on demand by an authorized person.
Don’t Be Caught Unaware
Key HIPAA Security Rule components:
- Appoint a security officer: Assign someone responsible for overseeing HIPAA security compliance, which
includes managing risk assessments, audits and staff training. - Implement access controls: Limit access to ePHI to authorized personnel only, and use strong password
policies, multi-factor authentication (MFA) and user role-based access - Conduct regular risk assessments: These are explicitly required for HIPAA compliance.
Covered entities and business associates are required to “conduct an accurate and thorough
assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health information (ePHI).” This is often referred to as a “risk
assessment” or “risk analysis.”
♦ A one-time risk assessment is not enough. Risk assessments need to be ongoing and
periodic to ensure that new threats, vulnerabilities and changes to systems are consistently
evaluated. This should be annually or as dictated by your organization’s risk profile.
♦ Document all risk assessment processes and results to meet HIPAA audit
requirements. - Schedule regular security audits: While a risk assessment identifies threats and
vulnerabilities, security audits go deeper into validating whether your safeguards and
controls are both in place and effective.
♦ Administrative safeguards: Audits check for proper security policies, workforce
training, and contingency planning.
♦ Physical safeguards: Audits assess physical controls around facility access and device security.
♦ Technical safeguards: Audits evaluate technical controls such as encryption, access controls and
network monitoring.
♦ By conducting these audits on a scheduled basis (e.g., annually or quarterly, depending on the
organization’s size and risk profile), you can detect and address any areas of non-compliance before they
become liabilities. - Establish data backup systems: Regularly back up ePHI and store backups securely offsite
- Enable audit logs: Activate and monitor audit logs for all systems handling ePHI.
What are the Security Requirements for HIPAA Compliant Emails?
Security Rule (§164.306)
(a) ENCRYPTION: Securing email containing PHI from end to end. You may visit “The National Institute of Standards and Technology” for advice on the latest and most suitable standards for email services.
(b) Email Phishing Protection: Technology can include email filters and spam protection systems that help detect and block phishing emails before they reach the user’s inbox. Anti-phishing software solutions can detect and block phishing attempts by analyzing web traffic and identifying malicious websites designed to steal user credentials.
(c) Spam Protection: Email spam protection is a system designed to detect and block unwanted or potentially harmful email messages from reaching a user’s inbox.
(d) Virus Protection: Installed on email servers and user devices, virus protection solutions scan emails, including attachments and links in emails for viruses. The software is automatically updated with the latest virus definitions to protect against new threats and provide continuous monitoring and real-time protection of email traffic.
(e) Ransomware Protection: Ransomware security protection involves a range of measures and tools designed to prevent, detect, and respond to ransomware attacks. In addition to antivirus software, phishing detection, spam filters, and email filtering discussed above, ransomware includes endpoint protection which monitors and secures individual devices against ransomware attacks along with the entire network of devices.
LAST CHANCE
Compliance Training
There is still room at the table for POET’s last compliance webinar, November 5th, Noon.
Two topics will be represented: “OSHA for Medical Practices” and “Establishing and Maintaining a Healthcare Compliance Program”.
Come network with other Physician office managers and staff.
Get a bite to eat (you will need to submit your order for Chick-fil-a).
And concur some of that compliance training you have on your to-do list.
Call POET (936) 637-7638
Recent Comments