Healthcare IT News: Hackers Targeting Healthcare Records

2017 Alliance sponsor article provided courtesy of IT Practice

Healthcare records can easily be considered some of the most sensitive data that is being stored by business and healthcare centers. It contains patient’s personal information such as birth dates, medical histories and other identifying information. If this information is breached not only are patients’ identities at risk, healthcare businesses and their reputations are as well! Identify theft of patient data can lead to healthcare fraud and yearly medical price increases, costing both the patients and providers more money each time they need a healthcare visit.

Cyberattacks cost hospitals and the healthcare field millions of dollars in data retrieval and business recovery. According to an Accenture news article, cyber breaches will cost the healthcare industry $305 billion over the next five years. In 2014 alone, nearly 1.6 million patients had their medical information stolen from medical providers. These hacks cost the patient money as well as the business. When valuable money resources are being used to deal with cyber breaches, other areas of the healthcare industry suffer. Less money is spent on medical equipment, hiring more medical providers, and other medical resources. Instead this money is being spent on disaster relief and recovering patient data.

When a breach happens, a healthcare business will then ask itself several questions:

  • How did this breach happen?
  • What can we do to prevent further security threats?
  • What is the most secure system for healthcare data?

Healthcare centers are required by law to keep records electronically. This means secure electronic storage is vital to the healthcare industry. Patients and providers need to be assured that the data is kept secure and is being monitored for any potential threats.

Secure ways of storing data include:

  • Cloud based services: storing data in off-premise centers
  • Business Continuity: Having a plan for business to continue as usual in the event of a breach or disruption.
  • Data Backup and Recovery: Having data backed up and secure and being able to quickly recover this data is vital to healthcare to identify what data was hacked and to secure any additional data from being stolen.

When data is compromised in many other industries, it quickly becomes useless. Passwords and encryptions are changed and any new data becomes inaccessible to the hackers. This is not the case with healthcare data! Healthcare data is some of the most sensitive data that needs to be protected. HIPAA and privacy laws can shut down a practice if there is a data breach and patient information is compromised. Luckily, there are multiple options to secure data and protect the healthcare industries. By using several data security plans, the chances of healthcare data breaches will be reduced.

IT Practice, a HIPAA Certified Company based in Raleigh, NC, provides a wide range of IT solutions for Dental, Medical and Small Business Professionals across North Carolina and Virginia. Contact IT Practice today for a free consultation to determine your exact IT needs.

Recommended Resources:

Advertisements

Patient Portal: The thread that connects patient and provider to enable deeper mutual engagement for managing healthcare

2017 Alliance feature article provided courtesy of TriMed Technologies

What do patient engagement, Electronic Health Records, appointment scheduling, bill payment and reconciliation, prescription refill requests, retail experience, Value Based Payments, HIPAA, and physician office best practices all have in common?

While they seems to be a varied cornucopia placed in a single basket, they all can be connected with technology called Patient Portal.

Like three major highways merging together into a single expressway, and moving at higher and higher speeds, healthcare is experiencing the convergence of government mandates, disruptive payor models, and the general population’s changing expectations and seeming culture shift to consumer driven, retail experiences.

Healthcare providers, from hospital systems to primary and specialty care providers, are increasingly connecting with their patients through their respective Patient Portals. At least they are attempting to do so. In a report published by the American Hospital Association in July 20161 between 2013 and 2015 online medical views more than doubled, download of medical records nearly tripled, and requests to change medical records more than doubled in that period. While this news sounds promising, the reality is that on a broad scale, patients/consumers reported very low use of the tools that patient portals primarily provide.

A survey in 2015 prepared by Nielsen’s Strategic Health Perspectives2 and presented by The Council of Accountable Physician Practices points to the gap between government mandates and payor and provider desires over against the unmet needs of consumers when it comes to not only basic online access, but to deeper interaction with their healthcare provider. This is broken down to HAVE vs. WANT in the following chart:

trimed-patient-portal-table1

Moreover low-income consumers, those with a combined household annual income of less than $35,000 and Medicaid consumers said that they WANTED Text Appointment Reminders at a rate of 22% and 32%, respectively. That’s nearly one in three Medicaid recipients, for just one potential online engagement service. When it comes to Text Reminders about taking medications or other health reminders, nearly one in four respondents receiving Medicaid benefits said that they WANTED this engagement.

But there are additional health care related tasks that are available to consumers that the Patient Portal can provide. According to general population benchmark data published by ACI Worldwide and Aite Group in January 20173, more than 56% of bills are paid online by way of a biller, bank or third party web site. Of note for the revenue cycle management side of physician practices, nearly three out of four of online bill payments are made on the biller’s (ie, practice) websites. Healthcare providers who fail to implement this ‘low hanging fruit’ of patient engagement do so at the cost of efficiency and best practice workflow.

Portals provide the ability for patients to schedule, cancel and reschedule appointments online. This technology is analogously utilized by the airline industry across carriers and has been in use for some time – whereby a consumer can prepay their flight and choose a seat at the same time. The healthcare industry, such as it is, lags behind in the implementation of this kind of service to it’s own consumers, due to either practice financial or cultural barriers – maybe both.

Other value drivers of a Portal include the ability for patients and guarantors to request prescription refills, view and respond to lab results, and view and print immunization schedules for parents and guardians. Online demographic registration and the completing of online forms, including consent forms, are additional workflow efficiencies that effective practices are beginning to utilize to minimize cost and enhance the patient experience.

One dictionary has the definition of a portal as: a door, gate, or entrance, especially one of imposing appearance, as to a palace. And technically, that’s what an online Patient Portal should provide – a doorway that connects a patient or family to his or her healthcare provider – a doorway that opens both ways. The foundation of the Portal, if all of these good things are derived, is the Electronic Health Record. The EHR provides the infrastructure that connects the patient and provider and allows them to intelligently manage health care efficiently and securely.

Aside from the fact that government mandates require the use of a Portal (among many other things) in order to maximize reimbursement and avoid future penalties under new MACRA value payments, a Portal – or doorway- between patient and provider only makes sense. Of course any technology that provides online access to the patient must meet the stringent demands of HIPAA privacy and security. This requires both technological and practical standards within a practice in order to comply.

In summary, the big picture is that the Patient Portal connects a lot of dots in the constellation of patient-provider healthcare. It opens the door of opportunity to engage more deeply with their healthcare provider and it balances the power between provider and patient whereby the patient has online access to their Protected Health Information 24/7. But not all patients are engaged, and a significant percentage of the population wants to engage in more ways than physicians, due to either financial or cultural reasons, are able and willing to provide. Over time however, it seems inevitable that physicians and patients will come closer together in the management of individual care. It’s just a question of how much time that will take.

Footnotes

  1. Data from the 2015 AHA Annual Survey Information Technology Supplement
  2. Prepared by Nielsen’s Strategic Health Perspectives for CAPP & Bipartisan Policy Center 2015
  3. © Copyright ACI Worldwide, Inc. 2017

Cyber Security and HIPAA

2017 Alliance Sponsor feature article by MedMal Direct

Cyber Threats have become a serious issue in healthcare IT over the past few years. Every day there are attempts to break into secure computer environments in order to either ransom the owner’s information to themselves or just to steal that information and sell it to someone else. Medical records go for about $60 per record (that’s what the hacker is paid by the buyer) whereas simple credit card records go for about $10 per record. The reason that medical records are so valuable is simple – the information doesn’t change. A person cannot turn off their medical record or change their birth date, however we can cancel a credit card and render it useless.

HHS and OCR have provided guidance on the topic of breaches and response to breaches and requires covered entities to have a breach notification and response policy and procedure in place. This policy must include the following:

  1. Definitions
  2. Notifications in the event of a breach
  3. Discovery
  4. Content of Notifications
  5. Methods of Notification
  6. Arrangements with Business Associates in the event of a breach by BA
  7. Law Enforcement Delays
  8. Administrative Requirements

In the event of a suspected breach it is imperative that the organization conduct an assessment to identify the exact nature of the breach. Some organizations are capable of conducting the initial assessment themselves and others may need an outside consultant to assist. OCR rule 45 CFR 164 includes specific guidance on what is required in order to investigate, mitigate, and remediate a breach.

Organizations must develop clear privacy and security guidelines in order to avoid the risk of a true breach. These policies must include how an organization secures its data. Guidelines are provided in the rule for the specific methods that are acceptable for encryption of data and OCR relies on NIST as the expert to provide the standards for which an organization must meet.

A Covered Entity can purchase insurance to protect itself in the event of a breach. This ‘risk transfer’ shifts the financial burden of a breach from the CE to the insurance carrier who also is then responsible, under most policies, for the investigation, notification, remediation, and fines or penalties (see your policy for exact details on coverages).

Guidance on policy and procedure is available to insureds through MedMal Direct’s Risk Management Department and increased limits for cyber liability coverage can be purchased at the request of the insured.

Demystifying OSHA Inspections

2017 Alliance sponsor feature article

By Debra Gordick, Mediator/Government Liaison for Total Medical Compliance

An OSHA inspection can be a scary experience. One reason is that they are always a surprise. You are going about your day as usual and suddenly you have an inspector at the front desk. Another reason is that you don’t know what to expect or what to do. Being informed about the process before it happens can help you focus and minimize the impact of an inspection.

How does your practice get chosen by OSHA to be inspected?

The most usual way for your practice to be inspected is that an employee, ex-employee or patient has reported you to OSHA for violations of OSHA regulations. This is called a “for cause” inspection. If it was a current employee who reported a true regulation offense then you will be inspected. OSHA takes that type of report very seriously. They are aware that sometimes an ex-employee may be angry and lashing out. If, in their judgment, that is the case OSHA may send you a letter asking for details and an explanation instead of inspecting. Receiving a letter does not mean you can dismiss the issue. You have a limited time to answer. If you do not answer the letter or do not answer it to OSHA’s satisfaction, they will show up to inspect. They will not give you advance notice and you cannot stop them from inspecting. A “for cause” inspection is usually limited in scope to the area or areas reported. They can expand the scope if they notice something wrong during their inspection. It is important not to volunteer information to an inspector unless they ask a question. Something as innocuous as “we have an excellent training program” requires them to expand their scope to your training program.

The second kind of inspection is a “random” inspection. Every year OSHA has a schedule. First they inspect reported violations. Then they generate a random sampling from their computers of business types that are closely watched. Types of businesses on this permanent rotation tend to be high risk for employee injury and death like construction, manufacturing, mining and farming. This list is a compilation of a federal list and, if your state has its own OSHA program, a state list. North Carolina has a strong state program. If they finish all inspections on high risk businesses, OSHA will look at the computer generated list of business types that have not been inspected for awhile. Unlike the “for cause” inspections, random inspections are full scope. The inspectors will look at all areas of regulations.

What are the steps of an OSHA Inspection?

  1. SELECTION
  2. PHYSICAL INSPECTION
  3. CLOSING MEETING
  4. CITATION LETTER
  5. ABATEMENT
  6. INFORMAL CONFERENCE
  7. SETTLEMENT
  8. FORMAL HEARING

What happens during the actual inspection?

When OSHA decides to inspect your practice the inspector(s) will show up at your door without notice. Get a business card. Ask the inspector to have a seat in the lobby while you notify management and the OSHA Officer. We recommend delaying the inspector no longer than twenty minutes. Additionally, you cannot refuse inspection. They will leave just long enough to get a warrant and the police. The only time we’ve seen an inspection delayed was when the office was not actually open for business and just a small staff was present doing paperwork.

Use your time wisely. Walk-through your office to spot and correct any problems that can be handled quickly such as replace a full sharps container or secure gas cylinders the delivery service missed that day. Grab a camera or camera phone. Greet the inspector. The inspector is going to ask for information about your business such as tax ID # and unemployment insurance #. You should be told if this is a random inspection or you were reported. If that information isn’t volunteered, you should ask. They can tell you what you were reported for but not who reported you. An inspection can take from one hour to multiple days with an average of 3-4 hours. A “for cause” inspection should be shorter and focused on the reported violation(s). The inspector is going to do the following:

  • Ask to see your documentation. This can, and likely will, include your policy and procedure manual, reports of any injuries or illnesses, Hepatitis B vaccination records and training records.
  • Walk through you practice and inspect various areas. (Remember that under HIPAA regulations the inspector cannot enter an occupied treatment room without you getting permission from the patient beforehand.) Never leave an inspector unescorted.
  • Take pictures. Ask them what they are photographing and why.
  • Ask you or other employees questions on how something is handled. (OSHA inspections are performance-based which means that what you are doing should match what your policies and procedures state.)

The inspector may want to talk to employees without management present. This is allowed.

Things you can do during the inspection to minimize citations and lower fines:

  1. Always be polite and courteous. The inspector is just doing their job. Also, you get a 15% reduction in fines for being “cooperative and courteous.”
  2. Take a picture of anything the inspector does for your records.
  3. If asked for something you don’t know the answer to, ask for clarification. It is easier to stop a citation from being written than to get it removed later.
  4. Always answer truthfully but do not volunteer information. By law they must inspect any area you bring up.
  5. At no point should an inspector ask for money. Report this to OSHA immediately. This person is most likely a scam artist.

After the inspection is over, the inspector will have a Closing Meeting to cover the preliminary findings. This meeting can happen immediately after the inspection or can be scheduled for a future date. At the Closing Meeting the inspector will meet with the OSHA Officer (and management if you request it) to go over all issues noted during the inspection. This list of issues is not the official citation list as it may include issues that are noted but so minor that they will not end up on the official list. Feel free to ask questions and to volunteer information that could prove you have addressed the issue. Start fixing the problems identified immediately.

What happens after the inspection?

After the Closing Meeting the inspector will return to their office and write up their results. They may call you to get follow up information. Once the report is written it is submitted to their manager. The manager will review the report and create an official citation letter listing each issue, the regulation that was involved and the amount of the fine for each citation. This letter will include information on your rights to contest the OSHA citations and your responsibilities to post the results for your employees and the dates by which you are required to fix the problems identified. This letter will be sent to you usually within two weeks of the Closing Meeting.

OSHA divides citations into “Serious” and “Non-Serious” categories. Non-Serious violations usually are not fined but can be minimally fined. OSHA increased their fines in August 2016 and again on 1/13/17. Each Serious violation starts at $12,675. There is a series of fine reductions which are available.

  • 60% for small businesses
  • 15% off if you were “courteous and cooperative
  • 10% if you have an OSHA program in place.

However, if OSHA notes that this is a repeated violation from a previous inspection or if they determine that it is a “willful” violation the fine starts at $126,749.

You will then have to submit a form (included in your citation letter) back to OSHA to prove that you have fixed the problems listed within the timeframe allotted. This is called Abatement. Abatement should include a short explanation, supporting documents or even pictures if necessary. You can request an extension if necessary. Failure to abate the citations by the stated date can result in a fine of $12,675.

You also have the right to contest the citations. The first step of this process is to request an Informal Conference with the manager/supervisor who sent you the citation letter. This meeting must be asked for within the timeframe listed (usually 15 days of receipt of the citation letter). It can usually be conducted by phone. It is your chance to state your reasons for removing or reducing citations and/or fines. You ask for this even if you don’t have any explanation but “we’re sorry and we fixed it”. OSHA cannot increase the citations or fines and you do not get on a black list. You can usually get some reduction in fines just by asking.

After the Informal Conference, OSHA will send a Settlement Letter to you. This will list what changes they are willing to make. You then have a limited time to decide whether to accept the settlement, sign it, return it and pay any remaining fines or you can choose to move to the next and final phase, the Formal Hearing.

If you do not accept the Settlement you have only one last recourse. You can request a Formal Hearing. This meeting will be in person before an administrative judge in Raleigh. This step should only be taken if you believe OSHA has violated regulations or if you have a legal reason that you did not violate a regulation. You are allowed to bring a lawyer and your consultant. OSHA will have their lawyers there. Results are final.

On a final note, your best protection from OSHA citations is a strong and continuing OSHA program. You need to understand what is expected from your business. Your program should include policies, procedures, strong documentation, good records, current SDS, annual review of safety devices for sharps, and thorough training.

Debra Gordick is the Mediator/Government Liaison for Total Medical Compliance. TMC is a private consulting company providing affordable turnkey programs and seminars for health care providers allowing them to achieve and maintain compliance with government safety and privacy regulations such as HIPAA, OSHA and Infection Control. A TMC consultant works in partnership with the safety and privacy officers at your location to ensure all aspects of the regulations are addressed. TMC services include on-site employee training, customized compliance manuals, office inspections, and ongoing client support through bi-monthly newsletters and a fully staffed Call Center. Information on seminar schedules and products can be found on the TMC web site, http://www.TotalMedicalCompliance.com.

For additional information call 888-862-6742 or email Service@totalmedicalcompliance.com

 

Palmetto GBA E-mail Update: Tuesday, April 04, 2017

eServices Makes Asking a Medicare Question Easier
Palmetto GBA has Secure eChat to make asking Medicare questions easier. This innovative feature allows providers to interact with designated Palmetto GBA staff so they can receive real-time assistance locating information on any topics or specialties they are searching for on the Palmetto GBA website or within the eServices online portal. The Secure eChat feature also allows users to dialogue with an online operator who can assist with patient or provider specific inquires or address questions that require the sharing of PHI information! Using Secure eChat is simple! Please share with appropriate staff.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General

What Can You Expect to Receive from the CERT Contractor?
You can expect to receive the following from the CERT Contractor: Information on the CERT process; Health Insurance Portability Accountability Act (HIPAA) compliance information; What documentation to submit; Timeframe for responding to the request; and Claim information.

Applies to:

  • JM Home Health and Hospice//General
  • JM Part A//General
  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Inquiries for Unprocessable/Rejected Claims
Did you know the top two reasons for Palmetto GBA Provider Contact Center inquiries in February all had to do with claims that were unprocessable or rejected? When a claim is rejected (also referred to as unprocessable) the claim is not afforded appeal rights. You must correct and refile the claim correcting the missing, invalid or incomplete information. Reason code MA-130 will appear on your remittance advice (RA) along with one or more remark codes that outline the error causing a claim to be considered unprocessable. If your clearinghouse is not providing you with associated remarks code to explain why a claim was rejected, speak with your clearinghouse to receive that information. Please share with appropriate staff.

Applies to:

  • JM Part B//General

Unprocessable/Rejected Claims Webcast: April 13
Jurisdiction M will hold a Part B Unprocessable/Rejected Claims Webcast on April 13, 2017, at 10 am, ET. This webcast will include identifying, correcting, and reviewing examples and resources to resolve and prevent rejected claims. Please plan to attend.

Applies to:

  • JM Part B//General

E/M Weekly Tip: History Component – Status of Three Chronic/Inactive Conditions
An extended History of Present Illness (HPI) ma y consist of the status of three chronic/inactive conditions for either set of guidelines (1995 or 1997) for services performed on or after on or after September 10, 2013. Please share with appropriate staff.

Applies to:

  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

New Waived Tests
Change Request (CR) 9956 informs MACs of new Clinical Laboratory Improvement Amendments of 1988 (CLIA) waived tests approved by the Food and Drug Administration (FDA). Since these tests are marketed immediately after approval, the Centers for Medicare & Medicaid Services (CMS) must notify MACs of the new tests so that they can accurately process claims. Make sure that your billing staffs are aware of these CLIA-related changes.

Applies to:

  • JM Part B//General
  • Railroad Medicare (RRB)//General – Railroad Medicare

Physician Practices Beware: Scam Email Disguised as Communication from Office of Civil Rights

By Joy Hord, Parker Poe
Reprinted with permission from Parker Poe

Receiving an email that your practice has been identified for participating in the HIPAA Privacy, Security, and Breach Rules Audit Program is enough to raise anyone’s blood pressure. The likely response is to open the email immediately, determine the scope of the audit, and mobilize a team to prepare for the response.

Opening the email, however, may not direct the email recipient to information regarding a governmental HIPAA audit. Instead, some providers are finding that the link directs to a non-governmental company’s marketing efforts for a cybersecurity service. The Office of Civil Rights (OCR) of the Department of Health and Human Services (the entity responsible for HIPAA audits and enforcement) has published alerts (available here) regarding the scam emails.

Although nothing in the most-recent alerts suggests that the current scam emails will result in a malware attack, covered entities and business associates must remain on guard regarding the potential risks of opening a communication that may appear to come from the OCR. Providers who have a question regarding whether an email is an official communication from OCR regarding a HIPAA audit may contact the OCR at OSOCRAudit@hhs.gov. Official communications from the OCR original from the same address.

Parker Poe has developed a number of tools to assist our clients to perform self-audits regarding compliance with the privacy, security and breach notification rules under HIPAA. We also advise clients routinely regarding responses to HIPAA audits. More information regarding our team can be found here.

About the Author
Joy Hord focuses her practice on regulatory and compliance matters specifically related to the health care industry. Her clients include hospitals, physicians, pharmacies and other health care providers. Ms. Hord also has significant experience representing health care professionals and organizations with business law and transactional issues, such as mergers, acquisitions and joint ventures. Ms. Hord leads Parker Poe’s Health Care Practice, which includes attorneys from the firm’s North Carolina and South Carolina offices.

Does your Practice Fall Short on HIPAA Compliance?

2016 Alliance feature article by IT Practice, Inc.

In the medical and dental fields, protected health information (PHI) is a concern not only for the patient, but also for the employees. Protected health information is any information about the health status, provision of health care, payment information or other medical terms that can be used to identify a patient. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 in order to protect this sensitive information. HIPAA ensures that no PHI is released without the patient’s consent. It is vital that medical professionals ensure that no violations happen and that they are working to avoid releasing PHI in any capacity.

There are several areas where healthcare practitioners need to be especially careful to ensure that no violations of HIPAA are occurring. By recognizing these areas, medical practices and staff can pay special attention and care to follow the law.

Social Media

Today it seems everyone uses social media. Whether it is Facebook, Twitter, Instagram or the many other social media networks, we are surrounded by it. It has made the ability to “share” information easy and done with the click of a button. One issue that arises from this is HIPAA law violation. Many times healthcare professionals share information before thinking or even realizing they are violating HIPAA law. It could be something shared in a positive and harmless spirit, but it could have huge consequences if it is found to be in violation.

Photographs are a large issue in HIPAA and social media. A healthcare worker may think sharing a photo is innocent and not harming anyone, but without consent from the patient it is a violation. For example, a photo could be shared with a patient only visible in the background of the photo. This is still a violation as the patient is able to be seen and identified. While the healthcare worker did not mean for it to happen, they unknowingly violated HIPAA law.

Wireless and Mobile Devices

In healthcare fields, patient information often times needs to be shared between healthcare professionals. This information could be vital signs, PHI information on the patient, or even just discussing the progress of the patient. It is simple to send a quick email or text to relay this information quickly. It’s very easy to violate HIPAA doing this as the software and wireless networks being used may not have enough security measures to prevent a breach.

Using encryption programs allows this information to remain secure, but only if all parties involved on the information sharing have the encryption installed on their wireless devices. It is often difficult to encrypt all employee devices and as such polices should be put into place to prevent any violations. Discouraging employees from sharing PHI through wireless devices or only allowing encrypted software to be used will safeguard against violations.

Employee Training

In order to follow HIPAA and avoid violations, it is vital to understand and be educated in HIPAA law. Knowledge in the law will prevent employees from breaking the law. In many healthcare practices and industries, the only employees fully trained in HIPAA are those who are higher up in the field such as management and administrators. However, it is actually required for all staff to know the ins and outs of HIPAA.

To prevent most violations, HIPAA regulations should be integrated into practice policies and procedures. This will allow there to be more employee training and keep the staff informed and knowledgeable in HIPAA law. Employee training in HIPAA must become a priority in order to avoid HIPAA violations before they occur.

IT Practice, Inc. with headquarters based in Raleigh, NC is a HIPAA Certified IT Provider. The staff knows how vital HIPAA regulations are and ensure that when medical information comes through to them from clients it is protected and kept confidential.

IT Practice based in Raleigh, NC provides a wide range of IT solutions for Dental, Medical and Small Business Professionals across North Carolina and Virginia. Call 919.301.1000 for a consultation to determine your exact IT needs.