Breaking Compliance News Blog

HIPAA Reminder: Paper Still Counts

Posted by Margaret Scavotto, JD, CHC on 6/21/22 11:40 AM

Lately, my inbox is flooded with warnings, reminders, and webinars about cybersecurity. Rightly so: cyberattacks are on the rise, and healthcare remains the #1 target. At MPA, we recently updated our HIPAA Security Risk Analysis, and we carefully documented every source of electronic PHI.

But: Paper still counts.

With so much of our efforts focused on cybersecurity and electronic PHI, we can’t lose sight of the risks posed by paper PHI. For example:

  • A patient went to the emergency department at a hospital to get her blood pressure checked. While there, her nurse wrote down the blood pressure result on a piece of paper. The patient noticed that the other side of the paper listed another patient’s name, number, address, and positive HIV status. 
  • A health system “became aware of a break-in to an off-site storage facility where certain limited patient records were housed. Six boxes of paper documents were removed from the facility without authorization.” 

In the HIPAA world, paper PHI still counts! Make sure your HIPAA security risk analysis and mitigation plan include paper PHI in addition to electronic PHI.

  • Remember:
Read More

Topics: HIPAA, security, privacy

“That’s so cute!” (if there’s a HIPAA authorization)

Posted by Margaret Scavotto, JD, CHC on 6/14/22 11:17 AM

 

Are you on TikTok?
 
I’m not (although I hear it’s worth it for the air fryer recipes).
 
But everyone else is, including an increasing number of healthcare professionals and healthcare providers.
 
Social media use increased during the early pandemic days as a way to connect with the world from inside locked down facilities. It also brings a healthy dose of levity.
 
For example:
  • A nursing home’s videos of residents enjoying therapy dogs Floyd and Loki went viral on TikTok. 
  • Last Thanksgiving, one nursing home’s TikTok video of the administrator dressed as a Thanksgiving turkey went viral. 
  • In a Scotland nursing home, a 102-year-old resident ‘s daily exercise dance routine – done with two nurses – was posted to TikTok. In the video, the resident and two of his caregivers are seen dancing. The home claims the videos “have been a great way to get the residents up and moving, and they’ve loved taking part.”
I love these videos! They are so cute. And they are okay to use – IF the patients signed a valid HIPAA authorization before the videos were taken.
 
Without a HIPAA authorization, the cute factor fades, and we are left with a potential HIPAA breach to investigate.
 
Thinking of going viral? Have fun – but make sure everyone involved understands the HIPAA consequences.

What you can do:

Read More

Topics: Training and Education, HIPAA, Social Media, security, privacy

Last Chance: Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 6/7/22 12:03 PM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

Cold Hard HIPAA Stats: Where Do You Stand?

Posted by Scott Gima on 5/25/22 1:15 PM

HIPAA risks change constantly – and so must our response to them. The latest HIPAA statistics reveal how HIPAA risk is shifting (and increasing):

Read More

Topics: HIPAA, security

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/19/22 8:45 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

When Senior Tech Support Scams are a Cybersecurity/HIPAA Issue

Posted by Scott Gima on 5/10/22 9:45 AM

The FTC regularly sends out consumer alerts on various scams. Turbo Tax’s “free” tax service and car dealer junk add-on fees are just a couple of recent alerts. Many times, these emails hit the trash bin after reading the subject line. This morning, my inbox had the FTC’s latest alert: Shutting Down Tech Support Scams. This morning was different – I opened the email and read the alert. Why? Because an older family member was a victim of a tech support scam.

First, let me tell you about my family member’s experience with a tech support scam. Some of the facts have been changed to protect the family member’s identity. But to make it easier, let’s call my family member Mom. Mom and Dad are retired and in their 80s. A few years ago, my family went to Mom and Dad’s house for Thanksgiving. While there, other siblings and cousins are discussing possible Christmas gifts, so I jump on Mom’s computer to do a little online shopping.

In the bottom right-hand corner, the Windows task bar typically has a bunch of icons that show programs that are loaded on startup. Mom’s taskbar showed a TeamViewer icon. TeamViewer is a legitimate remote desktop program that is typically used by tech support people to obtain remote access to a workstation, computer or laptop. I recognized the icon because TeamViewer has been used by our own company’s tech support. But there is no reason for Mom to have this program on her home computer. So I start asking questions and this is what I learned.

Read More

Topics: HIPAA, security

Sign up for MPA's Virtual HIPAA Training!

Posted by Margaret Scavotto, JD, CHC on 5/4/22 8:15 AM

HIPAA is a lot!

MPA's e-course makes it easier to keep up with privacy, security, breach notification, and social media.

Sign up for MPA's Virtual HIPAA Training Course

Read More

Topics: Training and Education, HIPAA, Social Media, security, breach notification, privacy, webinar

HIPAA Nightmare: Dentist tells patient to Get a Life

Posted by Margaret Scavotto, JD, CHC on 4/28/22 9:00 AM

Dr. U. Phillip Igbinadolor, D.M.D. & Associates received a $50,000 civil monetary penalty after his practice disclosed patient PHI in its response to a negative online review.

 

The practice did not respond to the OCR’s data request, did not respond to an administrative subpoena, and did not contest the findings in the OCR’s Notice of Proposed Determination.

 

The dentist’s response to the patient’s review stated:

 

It’s so fascinating to see [Complainant’s full name] make unsubstantiated accusations

when he only came to my practice on two occasions since October 2013. He never

came for his scheduled appointments as his treatment plans submitted to his insurance

company were approved. He last came to my office on March 2014 as an emergency

patient due to excruciating pain he was experiencing from the lower left quadrant. He

was given a second referral for a root canal treatment to be performed by my

endodontist colleague. Is that a bad experience? Only from someone hallucinating.

When people want to express their ignorance, you don't have to do anything, just let

them talk. He never came back for his scheduled appointment Does he deserve any

rating as a patient? Not even one star. I never performed any procedure on this

disgruntled patient other than oral examinations. From the foregoing, it's obvious that

[Complainant’s full name] level of intelligence is in question and he should continue

with his manual work and not expose himself to ridicule. Making derogatory

statements will not enhance your reputation in this era [Complainant’s full name].

Get a life.

 

Lessons to be Learned

The first lesson is obvious: don’t post PHI on social media without a valid HIPAA authorization. This is not the first time providers have responded to Yelp posts that included PHI or information that could identify the patient. Providers can respond to reviews with generic information about their practice – or ask patients to call. Provider responses should never reveal any information about the patient or their visit.

Another lesson is that the OCR is an equal-opportunity enforcement agency. All providers big and small can be investigated. In this instance, this was not a large provider.

Lastly, if you are unsure of what needs to be in place to comply with HIPAA to protect PHI, read the OCR resolution agreement for a prior - and similar - social media breach. The OCR provided the dental practice with “Corrective Action Obligations." These obligations can be used as a checklist to be used to evaluate your current privacy rule practices. Here are some (but not all) key requirements:

  • Policies and procedures that comply with the Privacy Rule.
  • The policies should cover the following:
    • Permissible and impermissible uses and disclosures of PHI
    • Administrative, technical and physical safeguards to protect the privacy of PHI
  • Privacy authorization form
  • A Notice of Privacy Practices – that lists the way PHI is used on social media
  • Provider contact to address Privacy issues – usually the designation of a Privacy Officer
  • Internal reporting mechanisms of possible violations
  • Policies that address corrective action of privacy policy violations
  • Privacy practice employee training

Read More

Topics: Penalties and Enforcement, HIPAA, Social Media

Download MPA's Free HIPAA Resource Guide!

Posted by Margaret Scavotto, JD, CHC on 4/26/22 9:00 AM

HIPAA has been around for years -

but that does not mean complying with HIPAA is easy.

The rules are long, and require a lot of policies. The Security Rule requires a HIPAA Security Risk Analysis - a task that is interdisciplinary, comprehensive, and detailed. Plus, HIPAA guidance and risks are continually changing - and so should your HIPAA training.

MPA's goal is to make HIPAA easier.

We hope this HIPAA Resource Guide provides some practical, step-by-step tools to help you evaluate, implement, or upgrade to a robust HIPAA compliance plan.

Contents:

  • HIPAA In a Nutshell
  • HIPAA Checklist
  • The Top 5 Social Media Posts Your Privacy Officer Fears Most
  • Tackling Social Media
  • How to Conduct a HIPAA Security Risk Analysis
  • Physical Safeguards
  • Technical Safeguards
  • Administrative Safeguards
  • Breach Notification
  • MPA Can Help
  • About Margaret
  • About Scott

Download now!

Read More

Topics: Training and Education, HIPAA

Earn CEUs with MPA's FREE Compliance Webinars!

Posted by Margaret Scavotto, JD, CHC on 4/5/22 8:15 AM

 

 

Sign up for MPA's FREE Compliance webinars:

All webinars are 11:00 a.m. CST - 12:00 p.m. CST and are presented by Margaret Scavotto and Scott Gima.

 

April 6, 2022: Compliance Lessons from Ted Lasso

1.2 CCB CEUs

“Taking on a challenge is a lot like riding a horse, isn’t it?”

"You know what the happiest animal on Earth is? It's a goldfish. You know why? It's got a 10-second memory."

"If the Internet has taught us anything, it's that sometimes it's easier to speak our minds anonymously."

 

Ted Lasso, the Apple TV series that has earned a host of Emmys and Golden Globes, has become a household staple. For most of us, it’s a 29-minute mental break when our work is done for the day. But America’s favorite soccer coach also brings us some priceless compliance lessons. Leading a compliance program through and beyond a pandemic isn’t too different from leading a downtrodden soccer team in England: it’s challenging and requires continuous sources of motivation.

SIGN UP

 

May 11, 2022: Affordable Care Act Compliance Programs for Nursing Homes

1.2 CCB CEUs

It’s been a long road since the Affordable Care Act mandated compliance and ethics programs for nursing homes in 2010. Since then, we have had rules issued; enforcement delayed; and a pandemic. Compliance is never easy in the highly regulated world of long-term care – but it has only gotten harder since this mandate was announced.

SIGN UP

 

The Compliance Certification Board (CCB)® has approved this event for up to 1.2  live CCB CEUs based on a 50-minute hour. Continuing Education Units are awarded based on individual attendance records. Granting of prior approval in no way constitutes endorsement by CCB of this event content or of the event sponsor.

Read More

Topics: Training and Education, HIPAA, compliance

    Privacy Policy           Terms of Use