Category: SOS Blog

More on HIPAA Security: Safe Email

Posted on | by SOS Blog | Leave a Comment on More on HIPAA Security: Safe Email

As our privacy and security officer, SOS President Seth Krieger reads lots of blogs and listens to lost of podcasts about security in the cyber world.

One of the blogs Seth follows is provided by a company called Adelia Risk. Early in August, he read a blog post that I want to share with you.

HIPAA Compliant Email: 6 of the Best Ways to Email PHI

How do you send PHI via email and still follow HIPAA? This is one of the most common questions we get.

It’s an understandable question. Email has become the communication tool of choice in the digital age. Most workplaces rely on it heavily.

If you’re a HIPAA-regulated business, email use gets a lot more complicated. It’s even more complicated when you want to email PHI, or Protected Health Information.

Good news: it is possible to send PHI via email, and we’re going to tell you exactly what it takes to ensure HIPAA compliant email.

But before we jump right in, let’s review the basics. . . .

As behavioral healthcare providers, we know you are very concerned about the privacy of your clients. If you are not using a secure email product to send PHI, you are putting that privacy at risk. Please click on the link above or here so you can read the full article. We do not earn anything from this company, but we are sharing this with you because the author, Josh Ablett, appears to know a good deal about his subject.

Please take a look at the article and feel free to add your comments and reactions below. If you are using a secure email product, please share your experience below!

OCR Plans Wider Investigation of HIPAA Breaches Affecting Fewer Than 500

Posted on | by SOS Blog | 2 Comments on OCR Plans Wider Investigation of HIPAA Breaches Affecting Fewer Than 500

I know I often talk here about HIPAA requirements, HIPAA breaches, and HIPAA fines. That is because I believe this to be a very important issue . . . one that small and mid-sized behavioral health organizations do not seem to concern themselves with very much. The matter of doing a practice becomes the driving factor, and regulatory requirements get glossed over.

I wanted to be sure you have the information from a recent notice from the Office for Civil Rights (OCR). In an email to the OS OCR Privacy List, OCR announced an initiative to more widely investigate smaller breaches.

Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.  Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.  Among the factors Regional Offices will consider include:

*   The size of the breach;
*   Theft  of or improper disposal of unencrypted PHI;
*   Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
*   The amount, nature and sensitivity of the PHI involved;  or
*   Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

Let me explain the thinking behind this initiative. OCR believes that breaches of PHI occur because of certain root causes. They have largely focused on large breaches in order to determine the root causes of such events because they affect so many people.

The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.

Focusing on smaller breaches will allow OCR to begin to determine if root causes in smaller events are the same as or different from those in larger events. This will hopefully result is recommendations about how smaller organizations can remedy any problem situations.

Remember, if the PHI you maintain is located on computers, removable drives, or cloud storage that is fully encrypted (while in motion and while at rest), it is considered a safe harbor. The obvious simplest solution for everyone is to encrypt every place in which the PHI for which you are responsible resides electronically . . . your computers, your storage, your emails . . . and to be sure your file cabinets are locked!

Phase 2 HIPAA Audits Are Under Way

Posted on | by SOS Blog | Leave a Comment on Phase 2 HIPAA Audits Are Under Way

On Monday, July 11, 2016, letters were delivered to those 167 organizations chosen for ‘Phase 2’ HIPAA audits.  These audits . . . called ‘desk audits’ . . . will look at the selected organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules. The selected organizations needed to reply by July 22 and to follow a structured process after that. You can read detail about these audits on the OCR website. Be sure to scroll down a bit so you see the Phase 2 Audit Program Protocol.

According to OCR, these Desk Audits will cover specific aspects of compliance:

Requirements Selected for Desk Audit Review

Privacy Rule

Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic Notice   [§164.520(c)(3)]

Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]

Breach Notification Rule

Timeliness of Notification  [§164.404(b)]

Content of Notification  [§164.404(c)(1)]

Security Rule

Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]

Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Starting in the Fall, Business Associates will be up for review.

I wonder if any SOS customers or readers of this blog have been selected for audit. If so, we hope you will share your experience.

Records Clean Up: What are your policies and procedures?

Posted on | by SOS Blog | 5 Comments on Records Clean Up: What are your policies and procedures?

I spent much of today scanning and shredding records that I no longer want to store in physical form. These are all business records of various sorts, from vendor invoices we have received and paid to customer invoices we have sent and been paid for. This is a task I have been working at in small bits for some time.

I tend to keep things. When it comes to records, I would always rather be safe than sorry. The outcome of this preference is that untoward amounts of paper wind up in our file cabinets.

The ability to scan records for electronic safekeeping has begun to ease this tendency to accumulate. However, because it takes so much time to do the scanning and shredding, the task gets put off and becomes very large.

A few years ago, we had an office-wide clean up, throw-away day. While we devoted one full day to the process, we had actually been doing the tasks over several days and ended with one final event. We brought a couple of tons of paper, old computers, old books and software manuals to our local recycling facility. It was a very satisfying process.

Do you have policies for the records in your organization? Do you know what your state requires for record maintenance? For how long must you keep business records? What about clinical records? Do you have procedures for purging old records of any kind? Or do you just hang onto everything like me?

Please share your thoughts about and experiences with record retention and destruction. I would love your suggestions for how to make this process less onerous! Just enter your comments below.

Successful Integrated Care: Behavioral health in primary care practices

Posted on | by SOS Blog | 2 Comments on Successful Integrated Care: Behavioral health in primary care practices

New models for the delivery of behavioral healthcare services are emerging just as new payment models for all healthcare services are being explored. Behavioral Healthcare Magazine recently reported on the integration of behavioral health providers into primary care settings by Christiana Care Health System.

Christiana Care is an organization that already uses evidence-based care across their organization. They had previously embedded psychologists in their neurology, cardiology and cancer departments. Now they have added psychologists and social workers into their primary care practices.

Linda Lang, M.D., chair of the department of psychiatry at Christiana Care makes the following suggestions for organizations considering such a move.

Integration best practices

For fellow health systems considering whether to integrate behavioral healthcare into their primary practices, Lang offers the following advice:

Be flexible. For behavioral health specialists who are used to sitting in an office, working in a primary care setting can be a jolt.

“It’s a much more fast-paced, ‘anything can happen throughout the day’ kind of thing,” Lang says.

Define expectations. Primary care and behavioral health specialists who will be collaborating need to clearly define their respective roles in their working relationship.

“Helping primary care doctors understand what they can expect from the behavioral health provider is important,” she says. “Some primary care doctors really want to manage their patients fully. Others prefer to have a collaborative approach.”

Understand the value of staff buy-in. When presented with the integrated model, caregivers at Christiana Care were receptive, which helped with implementation.

“We were able to get our psychologists and social workers to sign on for something new and exciting, knowing we were meeting the needs of folks in a much different way,” Lang says. “Training and buy-in are very important for this to be successful. There are some of us who have been doing a certain model for a long time. We have a group of people here interested in learning new models of care. Medicine changes all the time. We practice an evidence-based way of delivering all care, and there’s lots of evidence to show this works better. We all are of similar mindset that we want to do what’s best for the patient. We want to grow and learn new techniques.”

Working in a traditional medical setting is not yet usual for behavioral health specialists who are not psychiatrists or nurse practitioners. It is clear that this is one model for comprehensive patient care that will expand.

What do you think it will take for behavioral health and primary care practitioners to find comfortable and useful ways of practicing together? Please share your comments below.

Contact:

Synergistic Office Solutions
11350 Tuscarora Lane
Minneola, FL  34715
Phone: 352-242-9100
Web: sosoft.com
sales@sosoft.com / support@sosoft.com

HelpDesk

help.sosoft.com

Copyright (c) 2020

 

 

Simple Software Designs, LLC, dba Synergistic Office Solutions