Protected Health Information

09
Dec
2013

HIPAA OMNIBUS RULES AND BUSINESS ASSOCIATES

As of September, 23rd of 2013, covered entities should have updated their HIPAA Compliance programs to comply with the final HIPAA Omnibus rules. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their compliance programs to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their compliance to meet the new requirements run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to Leon Rodriguez, director at the HHS Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.

An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review and update business associate agreements. A business associate is an entity who has access to protected health information when providing a service to a covered entity. Business associates play roles such as: receive, store, maintain or transmit protected health information (PHI) on behalf of a covered entity. Good examples to help illustrate who are a business associates are: a medical billing companies, an information technology companies, shredding companies, copy machine companies, etc. Covered entities have until September, 23rd of 2014 in order to update their business associate agreements to comply with the final HIPAA Omnibus rule. Business associate agreements that have not been modified or renewed between March, 26, 2013 and September 23, 2013 will be considered compliant until the need to be renewed or until September 22nd, 2014.

The American Medical Association states that the kinds of individuals and entities that can be treated as business associates has expanded with the Omnibus Rules. These organizations include: patient safety organizations, health information exchanges (HIE) systems and EMR or HER companies. Medical practices need to determine who they need to enter a business associate agreement with.

Covered entities must ensure that the business associates that they work with are HIPAA compliant. As part of the final omnibus rules, business associates are liable for any violations that occur and they are responsible for any subcontractors that they work with. Business associates need to conduct a thorough risk analysis and must comply with the security and breach notification rules.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

05
Nov
2013

HIPAA OMNIBUS RULES AND THE PRIVACY AND SECURITY RULES

Covered entities should have updated their privacy and security rules to comply with the final HIPAA Omnibus rules as of September 23rd, 2013. The final rules became effective on March 26, 2013 but gave covered entities 180 days to comply with the rules. Covered entities that have not updated their privacy and security rules to comply with the final omnibus rules requirements need to do so immediately. Covered entities that have not updated their privacy and security rules run the risk of being found in willful neglect by the Department of Health and Human Services (HHS) and risk the chance of having to face a full HIPAA audit and pay high fines. According to the health of the Office of Civil Rights the final Omnibus Rules bring “the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented”.

An important aspect of updating the HIPAA compliance program to meet the final Omnibus Rules requirements is to review the privacy and security rules. Some areas that must be reviewed and updated are: breach notification procedures, disclosures of Protected Health Information (PHI), marketing, the sale of PHI, fundraising and access rights to PHI.

The way to address breach notifications has changed with the final rules. Covered entities must notify patients whenever there is a breach to PHI. Breaches to PHI must be notified unless the covered entity can demonstrate that the PHI has not been compromised or that the chances of PHI being compromised are very small. The rules for breach notifications also apply to business associates. By conducting a risk assessment, covered entities and business associates can determine what is considered a breach and how to react to a breach. To illustrate, a common recommended practice to guard PHI is to encrypt all the electronic devices that have access to and store PHI. When an encrypted device gets stolen or lost, it can be assumed that the breach is unlikely to happen and a breach notification is not necessary.

Disclosures of PHI are an important aspect of the final omnibus rules. Patients have now the right to request that medical practices do not disclose their PHI for a specific service or treatment received to their health plans if they have paid for this particular visit out of pocket. So, covered entities must address its patients request to not disclose specific treatment PHI to health plans when the patients pay cash for the treatment. Covered entities must inform patients of treatments that need to be disclosed regardless of payment in instances where it is required by law.

There are cases where the covered entities have marketing agreements with providers of medical services such as pharmaceutical companies and medical device manufacturers where they are compensated for sharing treatment information for marketing purposes. As part of the final Omnibus rules, covered entities must get patient authorization when treatment communication are shared for marketing purposes. The American Medical Association states that Physician may tell patients about a third party product without the patient’s authorization when the physician does not get compensated for the information, when the physician tell the patient in person, when the patient is already being prescribed a medication, when the communication is done to promote health and when the communication involves a government program.

Covered entities must review their policies in the cases where they receive compensation for providing PHI to an external entity. Covered entities can’t sale PHI without their patient’s written authorization. As part of the final Omnibus Rules, covered entities that are compensated for the sale of PHI, must be authorized by their patients before they can disclose their PHI. Patients must be made aware when covered entities sale their PHI to external parties.

In cases where a covered entity engages in sending fundraising communications, they must update the fundraising forms so that patients can choose to opt out of receiving fundraising communications.

Patients have the right to request a copy of their PHI. Covered entities that use an EMR system to store patient information are now required to provide patients with their PHI EMR stored data upon request. Covered entities must provide the patients with their requested PHI within 30 days after the patient has made the request. Covered entities can request a 30-day extension. Covered entities must provide access to their EMR in the electronic format that the patient requests. The costs of obtaining the PHI information may be charged to the individual who is requesting the records.
Finally, covered entities must ensure that their staff is trained on all the new policies and procedures. The training must be completed on a yearly basis and it must be documented.

The new rules must be taken seriously as they have the potential for $1.5 million in fines and can put a covered entity out of business

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

19
Sep
2013

Covered Entities and Business Associates HIPAA Omnibus Rules Requirements

Under the HIPAA / HITECH Omnibus Rules, covered entities need to update their HIPAA compliance programs by September 23rd. One of the major changes under the HIPAA / HITECH Omnibus Rules is related to business associates. Business associates are not considered to be covered entities but have access to patient information. Under HIPAA, business associates can be IT companies, pharmacy benefit managers, insurance brokers, copy machine vendors, shredding companies, etc. Business associates come in contact with protected health information (HIT). Under the HIPAA / HITECH Omnibus Rules, business associates must comply with the HIPAA Security Rule, and many aspects of the HIPAA Privacy Rule. Covered entities must make sure that their business associates comply with all the HIPAA regulations. Just like covered entities, business associates are subject to being audited by the Department of Health and Human Services (HHS).

As part of the HIPAA/HITECH Omnibus Rules, covered entities and business associates must comply with the following or can be found in willful neglect:

1. Develop or Update their Security Policies and Procedures. The HIPAA security Rule establishes national standards to protect electronic personal health information that is created, received, used, or maintained by a covered entity or a business associate. Conducting a risk assessment is the first thing covered entities and business associates must do in order to update their security policies and procedures. A security breach is the highest risk covered entities and business associates need to think about. A security breach can cost a practice more than $1,000,000.00. Covered entities and business associates can protect themselves from a security breach by following the recommendations of a risk analysis.

2. Develop or Update their Privacy Policies and Procedures. The privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or a business associate in any form or media, whether electronic, paper, or oral when combined with treatment, payment, or operations information. There are new changes that have been put in place under the new HIPAA / HITECH Omnibus Rules. The privacy rule has put in place a standard to determine whether a security breach has taken place.

3. Update their current business associate agreement. Business associates must put in place a business associate agreement with all their sub-contractors. Covered entities do not need to have an updated business associate agreement until September 22, 2014.

4. Put in place or update HIPAA Notice of Privacy Practices (NPP). Covered entities and business associates are required to update their NPP with the latest HIPAA / HITECH Omnibus rules changes by September 23, 2013. The updated NPP will provide patients an update on all their rights and all the restrictions under the Omnibus Rules. The NPP must be posted on the covered entities web site. NPP must be posted in the office and must be made available to all patients.

5. Conduct HIPAA yearly training. Training of the staff in the office must be conducted on a yearly basis and it must be documented. Covered entities and business associates are not expected to know every single detail of HIPAA regulations, but must have a general knowledge of HIPAA and where to find resources in the case a HIPAA related matter needs to be addressed.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

06
Sep
2013

HIPAA Omnibus Rule Notice of Privacy Practices Must be Updated this Month

September 23, 2013 is the date that medical practices and other covered entities must update their Notice of Privacy Practices (NPP) to patients in order to be compliant with the HIPAA Omnibus rule enacted in March 2013. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it. The new notice must include:

1. Reasons that Protected Health Information (PHI) can and cannot be disclosed to others.
2. Information for opting-out of communication related to fundraising activities, if the provider does any fundraising.
3. The ability to restrict PHI from payer disclosure when patients pay in cash instead of having the charges filed with insurance. Information about being contacted if there is a breach of PHI due to unsecured records.
4. Expanded rights to electronic copies of medical records (where applicable).

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

30
Aug
2013

UNDER HIPAA Willful Neglect Now Has Minimum Mandatory Fines

Under the final Omnibus Rule that will start being enforced on September 23, 2013 things have changed. The department of Health and Human Services (HHS) Office of Civil Rights (OCR) is going to start enforcing the final Omnibus Rules. The fines have increased for those practices that are not following the new regulations. The OCR will determine whether a medical practice is complying with the new HIPAA rules and regulations. The days of informal resolutions are gone. Minimum mandatory fines for “willful Neglect” start at $10,000.

What is considered “willful neglect”? Medical practices that do not perform a yearly risk assessment or that do not have an updated policies and procedures manual for the HIPAA privacy and security rules are considered in “willful neglect”. Practices that are not aware of, and have not documented their adherence to the HIPAA definition of minimum necessarty could face penalties of up to $125,000. Medical practices must start paying attention to the ins and outs of HIPAA regulations. Not being up to date with the new regulations can ruin all the hard work that has been invested in building a practice. The government sees HIPAA as a set of rules that medical practices must put in place in order to guarantee their patients access to their medical records and provide good security measures to protect patient information.

At Vitruvian MedPro, working with HITECH asscociates HIPAA — compliance simplified — is our mission and is accomplished using our 8 step, full turnkey HIPAA Compliance Kit. Starting with a Security Risk Assessment the HIPAA Compliance Kit also gives you the tools and documents you need for Business Associates, a set of customizable policies and procedures, staff and HIPAA Compliance Officer Training, a Breach Response Plan, Contingency Plan that meets the requirements of the HIPAA Privacy Rule, complete set of HIPAA documents including the required updated Notice of Privacy Practices, and a Risk Management Plan.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro, a Massachusetts based medical billing and practice management consulting company, we help medical practices improve cash flow and focus on patient care by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

24
Aug
2013

At $1.2M, HIPAA photocopy breach proves costly

HITECH notification rule leads to settlement after CBS News story

The U.S. Department of Health and Human Services (HHS) has settled with Affinity Health Plan, a New York-based managed care plan, for HIPAA violations to the tune of $1,215,780 after a photocopier containing patient information was compromised.

Affinity filed a breach report with the HHS Office for Civil Rights on April 15, 2012. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information.

Affinity officials were informed by CBS Evening News that, as part of an investigatory report, the television network had purchased a photocopier, previously leased by Affinity, that contained confidential medical information on its hard drive. Affinity estimated that up to 344,579 individuals may have been affected by this breach.

An HHS Office for Civil Rights investigation indicated that Affinity disclosed the protected health information of these affected individuals when it returned multiple photocopiers to leasing agents without erasing the data contained on the copier hard drives.

Moreover, the investigation revealed that Affinity failed to incorporate the electronic protected health information stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the photocopiers to its leasing agents.

“This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it’s recycled, thrown away or sent back to a leasing agent,” said OCR Director Leon Rodriguez.

“HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.”

In addition to the $1,215,780 payment, the settlement includes a corrective action plan requiring Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the plan that remain in the possession of the leasing agent, and to take certain measures to safeguard all PHI.

Covered entities must make sure that they review their business associate agreements and update them to comply with the final Omnibus Rules. HIPAA violations could have been prevented in this case if both side were aware of PHI being stored within the photocopy machine. Conducting a risk analysis is a must for all covered entities so that they know what they need to do in order to be fully HIPAA compliant.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

14
Aug
2013

COVERED ENTITIES MUST UPDATE NOTICE OF PRIVACY PRACTICES BY SEPT 23 2013

The changes to the Omnibus Rules that are going into effect on Sept 23 2013 require that all medical practices must update their Notice of Privacy Practices (NPP) by Sept 23 2013.

According to our friends at the American Medical Billing Association (AMBA) there are 5 significant changes that need attention:

1) You must update information on your use and disclosure of PHI that requires authorization:

a. Most uses and disclosure of psychotherapy notes
b. Uses and disclosures for marketing purposes
c. Disclosures that constitute a sale of PHI

2) Separate statements for certain uses and disclosures:

a. Intention to send patients treatment communications while receiving remuneration
b. Intention to contact individuals to raise capital or funds
c. Individual’s right to opt out of such communications

3) Enhanced patient rights:

a. Inclusion that you, as a Covered Entity (CE), must agree to a patient’s restriction of release or disclosure of
PHI to a health plan where the patient pays out of their own pocket for a service
b. Include statements about a patient’s right to receive electronic medical records (if you are capable of providing
such), along with other updated patient rights

4) Include information about how and when you will inform patients in the event of a breach of unsecured PHI

5) Appointment reminders and other alternatives

a. You no longer need to include a statement about notifying patients to remind them of an appointment, treatment
alternatives or other services that may be of interest to the patient

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

12
Aug
2013

HIPAA AND TEXTING

It is not uncommon for providers to use electronic devices such as cell phones and tablets to conduct their day to day functions within a healthcare facility or practice. Covered entities must ensure that The Health Care Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules are put in place when using mobile devices. At the same time, HIPAA does not provide any requirements towards the usage or avoidance of specific modes of communication such as using text messages.

Just like it is done with usage of other technologies such as EMR and Practice Management systems, all the safeguards must be put in place to ensure the privacy and security of Protected Health Information (PHI) that is communicated via text messaging.

Safeguards must address all the risks that exist with text messaging PHI. For example, devices that lack encryption such as mobile device-‐to-‐mobile device that are used for SMS text messages are generally not secure. Moreover, the sender of a text message can’t be assured that the messages being sent are being received by the receiver. Wireless carriers may also store messages that are sent via text messages. The Health and Human Services department states that using text messages as a way to communicate can be permitted under HIPAA depending on all the controls that are put in place.

The HHS recommends covered entities to follow the following five steps when managing mobile devices in your healthcare settings:

1. Decide whether mobile devices will be used to access, receive, transmit, or store patients’ health information or be used as part of your organization’s internal network or systems, such as an electronic health record system.
Understand the risks to your organization before you decide to allow the use of mobile devices.

2. Consider the risks when using mobile devices to transmit the health information your organization holds.
Conduct a risk analysis to identify threats and vulnerabilities. If you are a solo provider, you may conduct the risk analysis yourself. If you work for a large provider, the organization may conduct it.

3. Identify a mobile device risk management strategy, including privacy and security safeguards.
A risk management strategy will help your organization develop and implement mobile device safeguards to reduce risks identified in the risk analysis, including an evaluation and regular maintenance of the mobile device safeguards you put in place.

4. Develop, document, and implement your organization’s mobile device policies and procedures to safeguard health information.
Some topics to consider when developing mobile device policies and procedures are:

• Mobile device management
• Using your own device
• Restrictions on mobile device use
• Security or configuration settings for mobile devices

5. Conduct mobile device privacy and security awareness and ongoing training for providers and professionals.

For more information on texting and PHI visit: Five Steps Organizations Can Take To Manage Mobile Devices Used by Healthcare Professionals

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.
A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

02
Aug
2013

Medical Practices must comply with the HIPAA Omnibus Rule by September 23

The Health Insurance Portability and Accountability (HIPAA) Omnibus Rule, enacted in March, includes expanded obligations of physicians and other health care providers to protect patients’ protected health information (PHI). Obligations have been extended from covered entities to other individuals and companies who, as Business Associates (BA), have access to PHI. Increase in the penalties for violations under any of these obligations will be applied under the Omnibus Rule.

The Omnibus Rule goal is to further protect patient privacy and safeguard patients’ health information through our digital age with increased protection and control of personal health information and increased accountability for BA. The Omnibus Rule has put in place a number of legislation that range from expanding individual patient rights to their PHI, to determining the use of PHI for employee training, marketing, fundraising, and researching purposes, and notification plan for breaches. BA relationships and agreements should also be reviewed for compliance. Of importance are those BA agreements entered before January 25, 2013.

The requirements needed to comply with the HIPAA Omnibus Rule:

• Review BA agreement to abide with new Omnibus Rule and review existing agreements and contractor arrangements to determine compliance.
• Update HIPAA policies and procedures to address response to potential breaches of unsecured PHI.
• Update, post and distribute Notices of Privacy Practice.
• Put in place restrictions on the use of PHI for marketing, sales, and fundraising.
• Train medical practice staff on new obligations. Training must be documented. If it is not documented, it did not happen.

These existing BA agreements entered before January 25, 2013 remain compliant until changed or renewed, or by September 22, 2014.

Enforcement efforts begin September 23, 2013, and the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) will audit and penalize covered entities for willful neglect after the deadline with a maximum penalty of up to $1.5 million per violation.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.

A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro

25
Jul
2013

Hipaa Omninus rules and doctors in private practice

Private practice doctors have until Sept. 23, 2013 to implement all the latest HIPAA policies and procedures under the Omnibus rules. These policies and procedures are required in order to comply with all the changes that have been made to the Health Insurance Portability and Accountability Act (HIPAA).

The department of Health and Human Services (HHS) Office of Civil Rights (OCR) released the final omnibus rules in January of 2013 and will start enforcing these rules on Sept. 23, 2013. The HHS has made it clear that penalties to healthcare providers that are found in ‘willful neglect’ can range in between $100.00 to $1,500,000.00. The amount of the penalty will depend on the type of violation that the covered entity has committed.

In order to update their compliance programs, doctors in private practice must:

1. Perform and document a risk analysis. The risk analysis consists on doing an accurate and detailed assessment of all the potential risks and vulnerabilities that their practice is exposed to the confidentiality, integrity and availability of Protected Health Information (PHI). The outcome of the risk analysis should be a documented in a risk management report that describes all risks and vulnerabilities of the medical practice to PHI.
2. Review and update the medical practice’s policies and procedures in the case that PHI is lost, stolen or improperly disclosed. The medical practice must ensure that all staff members are properly trained on the updated policies and procedures.
3. Make sure that all the devices that hold PHI such as workstations, laptops, tablets, mobile phones, etc., are encrypted. The encryption of these devices will prevent PHI to be accessed in the case that the devices is lost or stolen.
4. Work with their HER vendor to make sure that the medical practice’s HER system is updated to flag information that patients do not want the medical practice to share with the insurance companies.
5. Put in place a process that provides the practice the ability to provide patients their medical record information in electronic format.
6. Review an update the medical practice’s contracts with its business associates. Business associates are people not employed by the practice who have access to PHI.
7. Updating the notice of privacy practices. The updated notice of privacy practices must be displayed for patients to see and must be posted on the medical practice’s web site.

At Vitruvian MedPro we help medical practices stay out of willful neglect by providing HIPAA Compliance consulting services. As part of our HIPAA Compliance consulting services, we help medical practices perform and document a risk analysis. We provide medical practices with a thorough risk management report describing their risks and vulnerabilities with PHI.

A free consultation of 30 minutes or less will let you know whether your practice would be found under willful neglect in the case of an audit.

For more information on Vitruvian MedPro’s HIPAA Compliance kit visit: HIPAA Compliance Kit.

At Vitruvian MedPro we help medical practices improve cash flow by providing medical billing, medical coding, and patient collection services. Visit our web site at Vitruvian MedPro