by Jodie Cannon, BS, OSHA/HIPAA Consultant
We get a lot of questions from our clients and thought we would share some of the most frequent with you:
Q. When can we say we are HIPAA compliant?
A. We get this question a lot. There is no definitive answer on this. However, based on what we see from the Office of
Civil Rights, an organization will be considered HIPAA compliant if they make a “good faith” effort, which would
generally, include the following:
- Performed a recent Security Risk Analysis
- Implemented an active Risk Management Process
- Maintain Policies and Procedures which specify how patient data is protected
- Maintain signed Business Associate agreements
- Trained employees within the last year
- Documentation evidencing the above and other aspects of your HIPAA compliance program
Q. What are the key HIPAA requirements?
A. HIPAA has requirements called safeguards; there are three sets of safeguards: physical, administrative and technical. To be considered HIPAA compliant, you must be adhering to these safeguards. When we perform your Risk Assessment, we will be providing you with recommendations on how to better align your organization with the
Q. Who do I need a Business Associate agreement with?
A. A Business Associate is a vendor of a Covered Entity (CE) or another Business Associate (BA) that needs access to or stores electronic Protected Health Information as a regular part of the services they provide. Common examples of BAs are IT companies, billing companies, and transcription companies. Cleaning companies are not BAs. For additional information on Business Associates, please visit https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html. We at Modern Practice Solutions recommend a Business Associate Audit yearly to ensure you have signed agreements and have properly identified your Business Associates. We also will submit Business Associate Agreements on your behalf. It is the responsibility of the Covered entity to follow up and ensure all BAAs are entered by the Service Provider and maintained in your HIPAA policies.
Q. Do I need to retrain my employees every year?
A. As a practical matter, yes. If you don’t train your employees every year, it will be listed as an area to focus on in your Risk Assessment. Under the Security Awareness and Training Standard § 164.308(a)(5), periodic retraining should be given anytime there is an environmental change, a change in policies, upgraded or new software, or a change in the HIPAA security rule. The Security Awareness and Training Standard address periodic security updates based on if it is a reasonable and appropriate safeguard to implement. Examples of periodic security reminders are: monthly meetings, monthly newsletters, and posted security reminders. Periodic security reminders can be in printed or electronic form.
Q. Can I send email to patients?
A. There are two circumstances in which it is permissible to email patients. If you have encrypted email, it is always fine to email patients. Also, if you do not have encrypted email, but if a patient signs a release saying it is okay to email, then you are fine. Ensure you have prior authorization from the patient prior to sending any unencrypted email. This is hard to keep track of and will generally be impractical. Best practice is to just electronically communicate with a patient through a secured/encrypted portal. This is secure and also keeps track of all communications for you.
Q. Is Ransomware a reportable breach?
A. It is very possible it may be, but an investigation of the facts is required to confirm. Every effort should be made to prevent a ransomware infection. Make sure all systems are patched, have a recent vulnerability scan, and train your employees to recognize and avoid phishing emails. FYI, this is the best practice for cybersecurity no matter what industry you are in. We have provided a link to the HIPAA fact sheet of questions and answers concerning the reportable breaches surrounding ransomware attacks for your review. https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
Q. What is the difference between a security incident and a breach?
A. Anytime the Security Officer suspects that somehow ePHI (electronic Protected Health Information) was disclosed in an unauthorized fashion, there is a security incident. The security incident must be investigated before it is determined to be a breach. It is important to document the investigation of the security incident or breach by using a Breach Determination & Risk Documentation form. Any security incidents and breaches should be documented on a Security Incident form identifying low, medium, or high risk, brief description of the incident, and resolution
Q. How often should we perform a Risk Assessment?
A. The HIPAA regulations allow organizations to perform Risk Assessments on a frequency they deem appropriate. However, CMS/HHS require Security Risk Assessments (SRA) for Meaningful Use, MACRA, and the Diabetes Prevention Program to be performed yearly. This is now the de facto standard. As a best practice, and to meet HHS standards, everyone should perform an SRA at least once per year. According to the guidance on Risk Analysis Requirements under the HIPAA security rule, Risk Analysis should be ongoing. Some covered entities may perform Security Risk Assessments annually or as needed (bi-annual or every 3 years). It is recommended that when a covered entity has experienced a breach, a security incident, new technology, added satellite locations, or turnover in key staff, another Risk Assessment should be performed to reassess if additional security measures or updated policies are needed. We have provided you a link for additional resources as a Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
Q. Do I need to perform a vulnerability scan?
A. Yes. Identifying technical vulnerabilities is a requirement of the HIPAA Security Rule. According to HHS: “The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of ePHI.” However, the HIPAA Security Rule does not specify the frequency in which this should be performed. A vulnerability scan is an inspection of potential areas within your workstations, server, and networks to identify possible security holes or weaknesses. How often you get a vulnerability scan completed is a considered discussion you should have with your IT department or IT vendor. Remember, a vulnerability scan helps not just with HIPAA, but also with your organization’s cybersecurity posture. We have seen horrible breaches and huge penalties that could have been prevented if a vulnerability scan had been run. IT/hacking incidents and unauthorized users are the current top two reasons of breaches for 2018.
Q. Do I have to encrypt my laptops?
A. If a laptop is lost, that is a security incident (see above). It is then incumbent upon the organization to perform an
investigation to see how much and which ePHI is stored on the laptop. This is virtually an impossible task. However,
encryption offers a “safe harbor”. If a laptop is encrypted and it is lost, it is not a breach (provided, of course, that you
can prove the laptop was encrypted). Encryption is very cheap and easy these days and it is a recommended best
practice for all organizations, not just HIPAA Covered Entities. It is highly recommended to encrypt all media devices
such as laptops, cell phones, iPads, hard drives, jump drives, etc. Covered entities should keep track of any media
devices that are being transported out of the Practice and to encrypt those devices to include emergency phones that
are being assigned to staff members. If your Practice does not allow the use of personal cell phones, ensure you have
cell phone policy and staff have reviewed and signed the policy regarding the use of personal cell phones.
We hope you found this Q and A to be helpful and practical. If you have any questions, please do not hesitate to contact
us at email@example.com.
We at Modern Practice Solutions are now offering an Advanced HIPAA Course at our Dover, Tennessee office. This is an
in-depth training course geared for RDAs, RDHs, DDS, and Managers serving as Privacy Officer and/or Security Officer for
their dental practice. Learn how to incorporate policies and procedures to comply with HIPAA’s requirements for
administrative, physical, and technical safeguards. We will address key elements such as requirements for a Risk
Assessment, staff training, internal forms, required posting, and how you can close the gap in your HIPAA compliance
2019 Advanced HIPAA course dates thus far are:
- February 7
- February 15
- March 7
- April 11
- June 7
The course includes 6 CEs, course material, certificate of completion and lunch. For more information or to register for
an Advanced HIPAA Course, please contact Jodie Cannon at firstname.lastname@example.org or Heather Miller at