It’s important for you to know that HIPAA compliance covers the cybersecurity measures necessary for EVV. That information is straight from an email issued by ANCOR, which cites the EVV legislation as its source, along with Tim Hill, the Director of CMCS.
Last year, as a service to our members, OPRA partnered with MyHIPAA Guide to spearhead the development of a HIPAA compliance program for the residential sector. This is the only program of its kind available for residential providers.
The program includes all the materials you need for compliance, plus an option for unlimited phone and email consultation to help you through the process of protecting of private health information.
With EVV right around the corner, we are offering a $100 discount off the price of an annual subscription with the coupon code: OPRA2018.
Go to hipaa.opra.org to subscribe.
At the recent annual conference of the Association of Professional Developmental Disability Administrators (APDDA), we had the pleasure of hearing from administrators from facilities in Corpus Christi and San Antonio, Texas and Miami, Florida who spoke about their experiences preparing for and recovering from Hurricane Harvey and Hurricane Irma last fall. Part of building an emergency preparedness plan includes making provisions to meet the needs of residents with disabilities in the event of an evacuation.
But! Even in an emergency preparedness plan, a resident’s health information is still protected by the HIPAA Privacy Rule.
Check it out! The Department of Health and Human Services offers a great interactive tool, The HIPAA Privacy Decision Tool, that through a series of questions helps you determine how the HIPAA Privacy Rule would apply in specific emergency situations (it’s available as a flowchart, too!). Other emergency preparedness resources are also available through the HHS site.
Key Point: If you don’t document it, you can’t prove you have followed privacy regulations — meaning you could face penalties. Security policies and procedures are mandated under the Health Information Portability & Accountability Act (HIPAA), and the regs are very specific about the policies and procedures you need to implement.
Through your documentation of policies and procedures, specify the security measures you have in place and the procedures you have for ensuring daily vigilance.
Keep in mind: Document everything, including all assessments, precautions, procedures, actions, findings, and processes covered under HIPAA requirements. Organize your compliance documentation in central locations, so both paper and electronic records can be easily referenced.
Ask yourself if you are keeping records of:
- Procedures for distributing privacy notices (which should include instructions on how to file complaints and report security concerns)
- Security policies and procedures (including written records of required actions, activities, or assessments)
- Complaint resolutions
- Updates to policies and procedures
- Sanctions against workforce members relating to privacy or security issues
- Staff training
- Business Associate Agreements
Be sure to keep privacy records for six years from creation of a document, or the last effective date. Also, periodically review and update documentation in response to changing conditions — such as a move to a new location — that impact the security of private health information.
Note to readers: See the right rail of hipaa.opra.org for HIPAA documentation and consultation services tailored for residential services providers.
By Justin Buren, OPRA Member
While serving as Director of the FBI in 2012, Robert S. Mueller, III famously noted that “there are only two types of businesses: Those who have been hacked and those who will be.” Scarcely a year later, the Target credit card scandal rocked the nation, followed by a chain of data breaches that continues today – with healthcare a primary target.
Recently, the Buren Insurance Group, Inc. commissioned the development of a cyber risk assessment survey, geared for small to medium size organizations. The 20-point survey (available on this website or by typing in hipaa.opra.org/quiz/cyber-risk-exposer) emerged from our own experience with incidents involving clients we serve.
That’s right. Far from the high publicity hackings at organizations such as Anthem and CVS, incidents we see here in central Ohio are among the small, barely-known breaches that are most prevalent of all throughout the United States.
In one of our experiences, a CFO’s email address was fraudulently used to trick his assistant into issuing a $25,000 check. The assistant issued the payment without a second thought, because by every indicator, the request had come from her boss – from his email address, and even in his writing style!
In another incident, a nurse brought her teenager along on a home visit arranged by her employer. The 18-year-old “kid” stole information contained in a manila folder on the kitchen counter top of the home. Just enough info to open a credit card – and finance a fraudulent shopping spree.
Under the Health Information Portability and Accountability Act (HIPAA), healthcare providers, including those in the I/DD sector, are required to meet very specific privacy regulations. Full compliance with HIPAA indeed reduces the risk of penalties or civil liability.
However, that doesn’t stop hackers from trying, and sometimes succeeding. Even during a period when aggressive enforcement of HIPAA has elevated awareness of privacy obligations, breaches of protected health information (“PHI”) escalated by 25 percent last year over 2016 – with email and network servers identified as common points of unauthorized entry.
The reality of cyber crime? It is typically about somebody – often an insider — gaining access to the kind of private health information that employees pull up every day on their computers. That then opens the door to fraud.
As the keeper of private health information, you are accountable for preventing unauthorized exposure to the best of your ability.
Questions to ask yourself include:
Are you meeting requirements to reasonably protect the information entrusted to your organization?
Are you reducing risk to the greatest extent possible?
There is no fool-proof plan of protection. The best you can do is to look inward within your organization, to intelligently assess and mitigate risk.
But above all, avoid the fool-ish plan, which is to assume that this stuff just happens when far-away crooks pull off big heists that make news and create multi-million-dollar headaches for mega organizations.
Think instead about the administrative assistant who unwittingly wrote a $25,000 check to a thief. Or the lady who left too much information on her counter top when the home nurse came to visit.
About the author: Justin Buren is a member of the Ohio Provider Resource Association and a preferred vendor partner. He focuses on risk management, safety, and insurance for providers.