The first webinar, "Forming a HIPAA Compliance Plan," was held on February 5, 2015. Daniel Brown, Esq. of Taylor English Duma LLP and Jason Karn of Total HIPAA Compliance walked attendees through the steps needed to create and maintain a HIPAA compliance plan. Topics covered include:
To make the webinar a little easier to navigate, we divided it into shorter clips. If you'd like to view the entire webinar, just start with the first clip, and the rest will be queued up automatically. A transcript of the presentation is available below as well as answers to some of the questions we received during the Q&A.
To keep things simple, we divided the video transcript into short sections corresponding with the clips above. Just click on the section title to expand the transcript.
Jay Maul: Hey, everybody! My name is Jay Maul. I’m on the Marketing team at NueMD. First of all, thanks so much for everybody coming out today. I really appreciate you spending the time with us. I’m going to briefly introduce our two presenters; we have Jason Karn from Total HIPAA Compliance and Daniel Brown from Taylor English. These guys are great; they really know their stuff. And with that, I’m going to pass it over to Jason for a bit more of an introduction of himself.
Jason Karn: Thanks, Jay! Good afternoon. My name is Jason Karn. I am the Director of Training and IT at Total HIPAA Compliance. I’ve been involved with HIPAA since around 2003 and I’m one of the co-creators of Total HIPAA’s online training compliance documents. I present across the country and also I’m a blogger on all things HIPAA. A little bit about Total HIPAA Compliance, we have customized training compliance documents templates for five different markets. We work with medical practices, dental companies, insurance agents, employer groups, Business Associates and subcontractors that support these groups. Now, I’m going to pass it off to Dan.
Daniel B. Brown, Esq.: Thank you very much, Jason! Good afternoon, my name is Dan Brown. I’m an attorney in Atlanta, Georgia and I recently joined Taylor English Duma here in Atlanta. I’m a healthcare lawyer and have been practicing for the last 30 years and specializing in the last 20 years with healthcare practitioners and institutions working with HIPAA all along the way. Let’s go ahead and get started. I know you’ve seen these slides before. It’ll be a little like a rerun through the beginning. This is an educational program. Nothing that we say here is intended to create an attorney-client relationship. Just check these references from time to time. The laws change which keeps us lawyers and Jason busy. And part of your compliance plan is to always go back and check that you’re up to date and we encourage you to do so.
Daniel B. Brown, Esq.: Our topic today is ‘What is a Compliance Plan?’ What is this thing that is required of us to indicate compliance with HIPAA? It’s nothing more than a compendium of your organization’s policies and procedures, describing your Privacy and Security obligations of your protected health information. These are legal obligations.
It’s interesting to note that when NueMD, who I appreciate putting on this program, when they did a survey a couple of months ago about compliance generally, 58% of the respondents said they had a compliance plan which is not so great when you think that 19% were not even sure and 23% said they did not have a plan at all. And to those 23%, I can only say that you are in essence in violation of a federal regulation.
So what is the purpose of your plan? What do you want to do? Well first it serves as a blueprint for you to accommodate, understand, and transmit your obligations under HIPAA. It tells your organization what your policies are, how you’re going to go about protecting problems with privacy and security and how you’re going to go about fixing them.
Another purpose of the plan is to have evidence that you have followed the law and have adopted a plan. What you’ve done is, your board of directors or other governing body has formally taken corporate action to adopt a plan, and to appoint the key personnel that Jason will be talking about.
It’s always troubling to me when a client will call and say, “We kind of have a HIPAA problem and people are investigating.” And first thing they asked us is, “Do we have a HIPAA compliance plan?” Well, sure it’s right here on the self, which is great. Then they asked us, “Well, how many times have you used it?” Then they asked the staff, “Can you name the names of your company’s Compliance Officer or Privacy Officer?” To which they responded, “We don’t know?” And that’s a bad sign. These plans are intended to be evidence that you are compliant but to be compliant it has to be a living document that you use throughout your organization.
Daniel B. Brown, Esq.: So, are you required to have a plan? The answer is yes. The federal regulations under HIPAA absolutely require at least as to policy that you adopt Policies and Procedures, very specific Policies and Procedures. And that they be compiled and maintained. That is your compliance plan for Privacy. You also need a compliance plan for Security. It’s a little different. Privacy goes to disclosure of protected health information, making sure that you have rules in place, that you don’t overtly kind of leave it around or share it unwillingly. The Security rules deal with information in electronic form. Privacy is both health information oral, paper and electronic, while Security goes only to electronic. And these Security rules, they are required by law and they go to make sure that folks have good access, clean access, to your electronic health information and that they have maintained the integrity of the information. For example, this morning we learned ofAnthem Blue Cross Blue Shield being hacked, affecting 80 million people. They clearly did not have proper integrity of their protected health information. I’m sure they had a compliance plan, but their integrity was breached nonetheless.
Daniel B. Brown, Esq.: What’s the risk of not having a plan? Well, the Office of Civil Rights of the U.S. Department of Health and Human Services is authorized along with State Attorney Generals now to sanction, fine, or find criminal penalties for folks who violate HIPAA. Violations can be big and small. And these are fairly recent.
The first one here is Massachusetts Eye and Ear Infirmary. They had a HIPAA breach, a violation of their Security requirements. They ended up paying the maximum amount permitted, $1.5 million. What did they do? Well in this case, one of their physicians went on a program in South Korea and left his laptop laying around. The patient information of about 20 years worth of patients was breached. When the Office of Civil Rights came and issued this fine, one thing that they pointed out in particular was that the hospital failed to adopt the HIPAA-required compliance policies and procedures that your plan must have.
So, part and parcel of getting dinged is not having your plan and not following it. And it’s not just big players, it’s little players too.
In 2012, a five-physician group in Arizona paid $100,000 for violating HIPAA. And what did they do? Well, it was kind of a dumb thing quite honestly. They had an Outlook calendar like we all have on our Outlook and they posted that online, live, and anyone could access it. And there was Mrs. Smith coming in for her surgery at 1:00 and then at 2:00 was Mr. Jones and then at 4:00 it was someone else. And that was kind of just not too smart use of technology. The OCR came in and they said, “Where is your HIPAA Policy and Procedures plans? Where is your Security plan?” And they couldn’t find one up to their satisfaction. That also led into the reason why these fines were levied.
Something on the horizon, that all of us need to think about. This is just a bunch of legal gobbledygook, but in essence people call me all the time and say, “Mr. Brown, the hospital disclosed to my momma about my operation and now she’s all mad at me and she’s going to take me out of her will, let’s sue those guys for breach of HIPAA!” And my response is, you know, unfortunately HIPAA does not give individuals the private right to sue a violator of HIPAA. You have to go to the Attorney General of your state or the Office of Civil Rights. So, we can make a complaint to them and maybe they’ll go to the hospital and cite them. But as far as me getting attorney’s fees or you getting some judgment from the hospital, that’s not going to happen.
Just in the last six months or so, the law is changing. Not that it grants a private right of action to plaintiffs who have been injured by providers who have leaked information. The HIPAA violation in and of itself, I can’t touch that. But what I can do is I can say that the hospital or the doctor had certain minimum obligations set forth by HIPAA and they breached those obligations. And because they breached those obligations set out in HIPAA, they were negligent. Just like malpractice. So, you can have a tort or negligent action against your doctor for a HIPAA violation. That’s kind of way to get to their pockets to make folks whole. Not all states have come around to this conclusion, but it’s kind of on the horizon and it makes for all those in the HIPAA world to think a little bit more about trying to protect ourselves. We all protect ourselves when it comes to malpractice. We’ll order another test, we’ll make sure the document is there. Maybe now we’ll be thinking about, just like making sure the document is there, making sure the HIPAA plan is there.
Daniel B. Brown, Esq.: And now I’m going to let Jason talk a little bit about what’s in a HIPAA Compliance Plan and about how to get it going.
Jason Karn: Thank you, Dan. So, here you see the list of items that you have to have to form this compliance plan. And we’re going to go a little more in detail about where to start and we’re going to try and break this down for everybody to make this as painless as we possibly can.
As Dan was talking about, you have to have both Privacy and Security Policies and Procedures. You also have to talk about Privacy and Security with your personnel. And that includes your training. And you have to have your data safeguards which includes having your firewalls, making sure that you have proper virus security and those sorts of things. You have to have a complaint mechanism. You have to be able to take complaints from people and know how to deal with them. And what I say to a lot of my clients when we talk about this is that you want to have someone who is very personable taking those complaints, because you can solve a lot of problems just by being open and honest and being concerned and that goes a long way to solving a lot of these problems.
You have to know that you can't retaliate against your patients or your employees. Document retention is a big part of this. There’s different time periods that you have to hold documents. I know that California states that you have to hold records of your patients for at least 10 years. Some places say its for forever. I think the HIPAA standard is six years as far as keeping the documentation of your plan. Those are things you need to think about also. They want you to keep that even six years after the fact that maybe your practice is closed.
Jason Karn: Who are the people in this? We have three different groups that we’re going to be talking about here. So, you have your Covered Entities and this is your doctor’s office, your health clearinghouses, your insurance carriers like the Anthem that we were just speaking about. And these are also employers that provide healthcare coverage. If you supply healthcare benefits for your employees, whether you’re a Business Associate, and we’ll talk about those in a minute, or you’re a healthcare provider, you have two different responsibilities. You have a responsibility not only to your patients to protect that information, but if you’re supplying health benefits for your employees you also have responsibilities to them to protect that information.
Next we have Business Associates. I know for a lot of the small and medium-sized companies, those are the people that we couldn’t do business without. Those are our IT vendors, our billing companies, our laboratories, attorneys who come in and help us out, maybe accountants, shredding companies, health insurance agents, the list goes on.
And the Business Associate Subcontractors are the people that help the Business Associates. So those could be that same list of IT people, attorneys, and they may come in contact with your information. And we’ll be talking more about the Business Associates as we get into this next slide.
Jason Karn: So what we're gonna talk about is here are the first five steps that you need to do with forming your compliance plan. And we’re gonna start with number one here and Dan if you’d switch over, thank you. And you need to choose a Privacy and Security Officer. Now these people need to be high. They need to be managers, officers, owner, somebody those high up. They don't necessarily have to be the owner but they need to have the ability to sanction and enforce HIPAA within your practice or your business. This is very important because if they cannot sanction an employee then what teeth do your policies and procedures have?
For smaller and medium-sized practices you may find that you use the same person for both your Privacy and Security Officer. And one of the things I say, you're going to be dealing with a lot of paperwork and a lot of documentation that needs to happen. So you're gonna need somebody who’s very, very organized.
And something that we need to make sure cause we saw this in the survey. A lot of our billing companies said they were following HIPAA but then they stated they didn't have a compliance officer which that would be your Privacy or Security Officers. Without those officers you are not considered to be HIPAA compliant. You need to have somebody who's responsible, who’s stepping up to make sure that that happens.
Jason Karn: So what is a Privacy Officer responsible for? Well, they're responsible for adopting and enforcing appropriate policies. They are also going to oversee enforcement. They're going to be posting the Notice of Privacy Practices. This is a notice that you need to give to every patient and also if you are an employer you need to make sure you give this to your employees. This tells them what you’re doing with that information and how you’re protecting it.
You also need to have Business Associate Agreements which we’ll be talking about here in a bit. Just on a side note on Business Associate Agreements, if you've been working with a Business Associate for a significant amount of time and had agreements that have been renewing, those need to be updated and Dan is going to be speaking about those later.
And you’ll also be ensuring that all staff is going to be trained. This is very important. This includes any volunteers, anybody who could potentially come in contact who is employed by you.
Now onto the Security Officer. Now the Security Officer, again this doesn't have to be a security expert. This just needs to be somebody who understands HIPAA, has a pretty good technical idea what's going on. For a lot of the smaller companies and practices what you may find is that you need to bring in an IT person that you're gonna have on contract with your Business Associate Agreement to help consult on this and help support Security Officer in these duties.
And what they're going to be doing it overseeing this ePHI, electronic protected health information and making sure that it is the integrity and this is really important. You have got to make sure that in transit rest which is on your computer and also in storage, that it is secure. This means encrypted. The standard right now is 128 bit encryption. I know a lot of companies use 256. You have to use at least 128 bit encryption.
You need to make sure that you're looking and identifying any potential threats, responding to any suspected breaches of ePHI. You’ll be consulting with that Privacy Officer before you hire any outside vendors. It's important you do this because you can't just say ‘oh, I need a paper shredder, let me hire somebody’. You need to actually do some work on that and we'll be talking about that just a few minutes.
You'll be coordinating security audits and you may be working closely with HHS. If there's an audit with the attorney general and again this person will also be making sure that all staff is trained. So they know things like when you're gonna require password changes, what virus software to use, how you access the network, who has access to the network, these kinds of questions.
Jason Karn: So you have to, and this is one of the key things in the law and this is required, you have to do a Risk Assessment. And this Risk Assessment is basically you go through your entire business and you say, ‘Okay where's this computer, where are these files stored, where are we restoring backups’, and you document this information. This becomes your outline, this is how you create those policies and procedures. You need to make sure you understand where everything is.
Now you can do this yourself and there’s a really nice tool on the Health and Human Services, the HHS website that you can use. Or you can hire an outside firm. Of course doing it yourself is gonna be on the cheaper side. Hiring outside firm can be more expensive and you may do something in between. You may start it yourself and then bring in an outside firm to audit things.
So really the key to this is you need to be thorough. You need to document where everything is. You need to know what virus software you’re using, make sure you document all these items. And you need to conduct this annually. Now once you have it formed in the first place it will be easier to update. And this is really important to make sure you update. Say you're upgrading from Windows 7 into Windows 8 or you know, with the new operating systems that are coming out you're changing the way that you encrypt your emails, you need to make sure you document these things and this needs to be updated in your Risk Assessment. And you need to also revisit this anytime you may have had a security issue, if you have a breach or get a change of hardware or software.
Daniel B. Brown, Esq.: Thanks, Jason! When we create our Policies and Procedures, actually we do have a very nice blueprint for doing that and that is the regulations themselves. In other words, the Policies and Procedures are mandated and what they say in large respect are mandated.
You need to create two documents using our Risk Assessment as a guide. In other words, we’ll have one for Privacy and we’ll have one for Security. Let’s look at our Risk Assessment and determine where the holes are. And then using the template of what’s in the law, then we’ll see exactly where our action plan is to close those gaps.
So, we have the legal mandated materials and then we use our own investigations to determine what holes exist in our organization and how we’re going to close them. We need to spell out how we’re going to protect all the patient’s protected health information and we can use the template as Jason said, or can have something created outside.
Daniel B. Brown, Esq.: The fourth step that we’re going to talk about today is a Business Associate Agreement. Now first, a Business Associate is anyone who’s outside your workforce. Outside your workforce so that’s someone whom you do not directly control, who uses or has access to your protected health information in order to do their job for you.
An example would be a billing company, an attorney who’s looking at a case that’s involving the health information of your patients, or an accountant. Those are the types of folks who are doing the work for you. Interestingly, when we go to identify who these Business Associates are, sometimes another covered entity, a healthcare professional could be a Business Associate and might need to have a Business Associate Agreement with us.
If let’s say for example, that particular doctor performs our billing services for us. Well, when the doctor doing the billing activity, they’re a Business Associate. We need to review the compliance plans of the Business Associates. This is fairly new. HIPAA had a large overhaul in 2013 and grafted many of the obligations and legal penalties that used to only sit with the covered entity. It grafted those obligations and penalties onto the Business Associate as well.
So it’s key for you as a covered entity to know who you're contracting work, understand what their privacy controls are, understand that if they breach it becomes your breach. So you need to review your subcontractors and the agreements fairly well. Then you need you make sure you get your signed Business Associates Agreement. Stay on track of it. If they expire you need to make sure they get renewed.
Many companies and hospitals will give you their form of Business Associate Agreement. You need to be careful with forms of Business Associate Agreements. Many of the language is mandated by HIPAA, many of it isn’t, it’s just merely a contract. And you may, by contract, agree to indemnify a covered entity for your mistakes or the business associates. You don’t have to do that under HIPAA, but you might have committed yourself to do it by contract. So you might want to have someone look at your Business Associate Agreement and not just think they’re boilerplate cause you might be signing yourself to obligations you are not absolutely obligated to do.
Daniel B. Brown, Esq.: And we’re going to finish up with training employees. Jason, why don’t you walk us through that.
Jason Karn: Great, thank you so much Dan. So training your employees is very important and required under the law. And one of the questions I get a lot of times about training is how often do you have to retrain those employees once you’ve trained them the first time. And though the law only says train your employees, what we’ve seen in a lot of corrective actions that have come from HHS is that they require some of the larger companies that they’ve gone into to have annual retraining.
And we recommend, because things change constantly, people forget things, mistakes are made, that you do train annually. And there are two things you need to train on. First is the HIPAA obligations in general. As I said earlier, your employees, your doctors, your nurses, any medical staff, volunteers, they need to know what HIPAA is in general. They need to know the law, they need to know about privacy, security, what is considered a breach and what the penalties are in case they do violate HIPAA. And in addition to that, they need to know what your specific policies and procedures are. They need to know, if there’s an issue, who do they go to? They need to know how often you require those password changes? What mobile devices are allowed on the network? How you access the network. You may have a policy that says you use what they call a virtual private network that allows you to have a secure tunnel before you allow people into your network.
And what are those sanction policies? What do you do when you have an employee who violates HIPAA? It may be something that they do inadvertently, or it may be something that they do maliciously. How do you deal with that? That’s very important. Without sanction policies you are not being compliant with HIPAA.
During the webinar, attendees were able to ask questions directly to Dan and Jason. While we tried to get through as many as we could, we simply did not have time to answer all of them. So, we put together a round up of the top unanswered questions. We've organized them by section to keeps things simple.
Q: Do you have an example of a privacy & security plan we can review to see how we look and find ways to improve & implement any changes immediately?
A: There are sample policy and procedure plans on the HHS website.
Q: Can I use a sample HIPAA policy and make it my own?
Q: Would a cleaning service in a medical office be considered a business associate?
A: No. Not if the PHI is securely stored and not left out where it can be seen. (This includes computers being shutdown or logged off.) Though it is a good idea to let the manager of the crew know what to do if they accidentally come in contact with PHI (they should let the practice know what they've seen, so the practice knows to be more careful).
Q: How is the best way to handle receiving medical records via fax overnight which sits in a hallway that cleaning crew has access to?
A: You need to relocate the fax machine to a room or area that can be locked and secured. You currently have a HIPAA violation.
Q: We do not lock up our patient charts - is it best to get a BA with the cleaning crew?
A: The law states you are not required to have a Business Associate Agreement with a cleaning crew, but since you are not locking up your patient charts, we recommend that you have an agreement with the cleaning company so they understand what their responsibilities are. If there is a breach, there is a loss of trust on the part of your patients. You should start locking up your files.
Q: Are paper files with PHI required to be double locked? For instance, are they required to be in a locking filing cabinet despite the building being locking when no on is present to insure their security?
A: Locking the storage area is probably more important than anything. When you do your risk assessment, determine if anyone has access to the area where the files are stored when the office is closed. If they do, then you need to better secure the files inside the office.
Q: We have new interns every semester. Should we update our compliance plan every semester? Should we retrain / refresh at the beginning of each semester?
A: The plan should include a protocol for training new interns when they come in each semester. You do not need to update the plan for the new interns, though the plan should be updated periodically.
Q: How do you handle HIPAA privacy when you share an office with another medical office? They are two separate offices, but share the same space.
A: Does each organization have a set of Policies and Procedures? Even better, did the practices develop them together? Do the practices support similar philosophies regarding Privacy and Security? Have the staffs been trained on the Policies and Procedures and HIPAA guidelines? If the practices are in agreement and everyone has been trained, you probably will not have a problem.
Q: Does the covered entity using, for example, a billing company need to have a BA agreement with subcontractors used by the BA if the BA has a BA agreement with the subcontractor?
A: The Covered Entity does not need to have an agreement with the Subcontractor Business Associate. It is the Business Associates responsibility to get their subcontractor agreements in place.
Q: We asked all of our Business Associates to sign our agreement... the majority complied, but we had a few that refused. We checked their agreement and did not see a problem... but can we require that they sign our agreement?
A: If a Business Associate refuses to sign an Agreement, then you need to find a new Business Associate to work with. You cannot work with a company that will not sign an Agreement. We had one incident in which a building management company refused to sign a BA Agreement. The medical practice ultimately moved to a new location.
Q: I thought I heard the speaker say that a BA agreement is needed for labs. When I tried to get one from our dermatopathology lab, they are telling me they do not have to provide one. True?
A: A physician is not required to have a Business Associate contract with a laboratory as a condition of disclosing Protected Health Information for the treatment of an individual.
Q: Is there somewhere to get the Business Associate Agreements?
A: Yes. There is a sample on the HHS website.
Q: Can you use Apple's voice to text software? Will the data go somewhere and that breaches confidentiality?
A: The Apple dictation software says they are confidential, and encrypts your information in transit, but they are essentially collecting your data and can associate that back to your computer. Since Apple is not signing a BAA, you need to stop using this program in its current state. There is an option of using Enhanced Dictation, see image below.
Apple states this keeps all of your dictation information local without sending your information to Apple to be processed. This is a pretty hefty download, but definitely worth it for a provider that is using this program.
Q: What are the laws in regards to HIPAA compliance with telemedicine?
A: You have to be careful with telemedicine. There was a doctor that was disciplined for using Skype. It was determined by the Oklahoma Medical Board to not be an approved method for telemedicine because of the lack of security protocols. Make sure you check with your State Medical Board to see if they have rules on approved devices for telemedicine, and restrictions on the types of care you are allowed to provide using this platform. There are a few providers that claim to be HIPAA compliant, just make sure you have a signed Business Associate Agreement with these folks before you use them.
Q: For a small medical billing business what is the best encryption software to use when emailing patient information?
A: We do not recommend a specific provider over another. Though we do have a few partners we work with. If you contact us [Total HIPAA Compliance] directly we can give you some referrals.
Q: What is the HIPAA requirement regarding use of patient name in email such as Gmail?
A: Gmail is not a HIPAA compliant encrypted email solution. You need to use a service that will sign a Business Associate Agreement with you, and requires the patient to authenticate his/herself.
Q: Are there any governing documents or standards that dictate electronic/digital compliance such as email, B2B, computers/networks, etc., passwords, encryption, etc.?
A: The standard for encryption right now is 128-bit encryption.
Q: What if a physician uses email like Gmail to send info to patient? Does that need to be encrypted?
A: Yes, it does need to be encrypted, and Gmail is not acceptable for email encryption.
Q: When sending an email, what patient info is allowed to be in the email so as not to violate HIPAA? I understand that there has to be a certain number of identifiers before it is considered a violation.
A: Any identifier combined with Protected Health Information must be protected. Identifiers could be name, Social Security number, address, credit card information. The key here is health information.
Q: What about personal laptops & cell phones possibly/potentially being used for business use? What parameters do we need to be sure are in place to be HIPAA compliant?
A: This is called "Bring Your Own Device." There are elaborate criteria that needs to be established before you grant employee access to your network. One item that may deter employees wanting to use their own devices is a recommendation that if there is a breach, malware is introduced by the device, the device is lost, or the employee is terminated, the employee must agree that their phone can be wiped remotely.
Q: Our practice has one physical therapist and one office manager. Should we have a compliance plan?
A: Yes, you are required to have a compliance plan.
Have some insight on practices and HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!