HIPAA Training Standards Businesses Need to Know

HIPAA Training Standards Businesses Need to Know

Per the HIPAA Privacy Rule and HIPAA Security Rule, both Covered Entities and Business Associates, must require HIPAA training for all workforce members that access protected health information (PHI) or electronically protected health information (e-PHI) in any of its forms and should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the [organization].”

According to the Rule, training must be provided “to each new member of the workforce within a reasonable period of time after the person joins the covered entity’s workforce.” Along with all other annual compliance requirements, HIPAA training is arguably the most important. Your workforce members are your first line of defense in the event of a Breach and must be able to identify your organization’s designated HIPAA Security Officer, and have a firm understanding of the HIPAA Privacy and Security Rule. Training should also highlight the organization’s Technical, Administrative, and Physical Safeguard objective security requirements. It is best practice to provide ongoing security awareness training and, in addition to the mandatory annual training, the Privacy Rule also highlights what’s known as “periodic” training. The goal is to ensure workforce member’s knowledge of HIPAA compliance is not forgotten.

The HIPAA Privacy Rule states that “An [organization] must document that the training as described [in the HIPAA Text] has been provided.” Failing to do so will be seen as “willful neglect” and will result in HIPAA violations including monetary penalties as high as $1.5 million dollars. A minor violation may only result in a corrective action plan requirement, whereas a significant data breach attributable to a lack of training will be viewed more seriously.

At Live Compliance, we make checking off your compliance requirements extremely simple.

      • Completely online, our role-based courses make training easy for remote or in-office employees.
      • Short informative video trainings to meet periodic training requirements
      • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location. Conducting an accurate and thorough Security Risk Assessment is not only required but is a useful tool to expose potential vulnerabilities, including those such as Password Protection.
      • Policies and Procedures are curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real-time.
      • Electronic, prepared document sending and signing to employees and business associates.

Call us at (980) 999-1585 or visit www.LiveCompliance.com.


ABOUT EZCLAIM:
As a medical billing expert, EZClaim can help the medical practice improve its revenues since it is a medical billing and scheduling software company. EZClaim provides a best-in-class product, with correspondingly exceptional service and support. Combined, EZClaim helps improve medical billing revenues. To learn more, visit EZClaim’s website, email them, or call them today at 877.650.0904.

4 Steps to Designing a Superior Patient Experience

4 Steps to Designing a Superior Patient Experience

Designing a Superior Patient Experience

We live in a world of increasingly lofty consumer expectations—one where 44% of U.S. consumers will switch to a competitor following a poor customer service experience.

The medical industry is no exception to this trend.

In a study by PatientPop, 58 percent of Gen Z, Millennials, and Gen Xers, as well as 63 percent of individuals 55 and older, said that responsiveness to follow-up questions via email or phone outside of the appointment is critical or very important to overall satisfaction.

Patients want more than just excellent care from their healthcare providers. They expect easy access to medical records, convenient online scheduling and appointment reminders, prompt responsiveness, and painless ways to contact your office—24/7/365. And they’re also seeking compassionate and knowledgeable representatives who are willing to provide caring and accurate resolutions to their issues.

As a medical provider, you should not only focus on bringing in new patients but also continually strive to improve patient retention. Growth in customer retention rates by 5 percent can increase profitability anywhere from 25 to 95 percent, after all.

So how do you design an experience that increases patient satisfaction and retention? Let’s dive in.

1: Make Prompt Call Answering & Convenient Appointment Scheduling A Priority

As we mention above, patients want—and nowadays expect—your office to answer quickly as well as provide effective and swift resolutions to their health matters. But in a busy office, the staff is often focused on dealing with patients. Even front desk and administrative teams can become inundated with in-office tasks at a busy practice, leaving calls, messages, and emails unanswered.

A superior patient experience starts with prompt call answering and convenient appointment scheduling—a service that’s available to your patients whenever they need you, including weekends and holidays, and answers every call addresses delicate patient concerns with empathy, and schedules appointments quickly. If your staff is struggling to keep up with demand, consider outsourcing your phone answering and appointment scheduling. Not only will this improve patient satisfaction, but it also brings a sense of work-life balance to internal staff and allows you and your team to focus on what you do best; caring for patients.

2: Streamline and Perfect Your Patient Intake Process

The patient intake process is tedious, but it’s incredibly important to your operations, and speed and accuracy are vital. Streamlining and perfecting patient intake starts with leveraging the right software—one that makes it easy for patients to fill in their information and access their records, and provides all of the valuable data your practice needs to operate in an easy-to-navigate platform. For starters, your intake software should:

  • Be encrypted for data transfer through the internet and HIPAA compliant
  • Be intuitive and user-friendly
  • Not require special software or hardware downloads or installation for the user
  • Be portable into back-end systems

Your intake process should also be integrated with your electronic health records (EHR) software, and information should be updated and available in real-time for a smooth experience—for patients, admin staff, and providers—so that everyone is up-to-speed. Both technology and your process should remove redundancies from your workflow and streamline the intake experience.

3: Provide HIPAA-Compliant Live Chat & Text For Swift and Convenient Communication

Another great way to improve patient experience is via live chat and text, through which you and your staff can communicate with patients wherever they are, send appointment reminders, have two-way private and secure conversations, multitask as needed and be available when emergencies happen.

HIPAA-compliant chat and text messaging lets you communicate efficiently and accurately with patients and simultaneously safeguards electronically protected health information (PHI) while taking full advantage of the speed and flexibility of today’s communication technology.

Some of the many benefits of secure live chat and text in the healthcare realm include:

  • Reduced response times, including in the off-hours and on weekends or holidays
  • Ability to provide immediate recommendations for care and preliminary diagnoses
  • Ability to send follow-ups, like reminding patients to take medications, which creates better relationships between you and your patients
  • Secure PHI storage that acts as a record of past conversations, symptoms, or complaints to improve future care, diagnosis, and treatment plans

4: Leverage Technology and Software Integrations For Smarter Decision-Making

Technology and software integrations have transformed healthcare and are vital in any medical practice. Why? Because when you streamline your office functions and workflows, you improve all aspects of patient care and experience.

First, your office should be using an EHR (electronic health record) system. This system automates access to client information, helping to improve workflows and reduce incidences of errors by improving the accuracy and clarity of medical records. It should include all the key clinical data relevant to each patient’s care, including:

  • Demographics
  • Progress notes
  • Problems
  • Medications
  • Vital signs
  • Past medical history
  • Immunizations
  • Laboratory data
  • Radiology reports

Communication data collected throughout your patients’ experience with your office—such as phone conversations, appointment scheduling, and reminders, and live chat and text transcripts—should also be sent to and recorded in your EHR system.

Finally, the right software can help you make better patient and business decisions. For instance, maybe you want to know the percentage of patient calls versus the percentage of calls from hospitals that come into your office. Or, maybe you want to know which hospitals call you the most or you want to know the main reasons patients call so you can use that information to improve patient care and education.

How The Highest-Performing Medical Practices Prioritize Patient Experience

Medical practices that provide a superior service experience are available to their patients 24/7, have a streamlined and accurate intake process, are tech-forward, and have omnichannel communication options that empower patients to reach out any time and from anywhere. But most medical practices don’t do it all on their own. The highest-performing medical providers leverage an outside service provider like Nexa to improve client satisfaction, increase retention and grow their revenue. Learn more about how Nexa can help your medical practice level up by visiting nexa.com/medical.


ABOUT EZCLAIM:
As a medical billing expert, EZClaim can help the medical practice improve its revenues since it is a medical billing and scheduling software company. EZClaim provides a best-in-class product, with correspondingly exceptional service and support. Combined, EZClaim helps improve medical billing revenues. To learn more, visit EZClaim’s website, email them, or call them today at 877.650.0904.

[ Contribution from the marketing team at Nexa ]

The Devastating Effects of Social Media in Healthcare

The Devastating Effects of Social Media in Healthcare

HIPAA Social Media Do’s and Don’ts in Healthcare

There are many benefits to social media in the healthcare industry, however, there is also huge potential for HIPAA violations of patient privacy to be violated on social media networks.  The Privacy Rule protects All “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information (PHI).”

Did you know that more than 71% of recorded data breaches in the healthcare industry are attributable to employee actions?

The most important rule is to never share Protected Health Information or Personally Identifiable Information on social media. Social media may include personal blogs and other websites, including Facebook, LinkedIn, Twitter, YouTube, or others of the like.

A few common identifiers include but are not limited to:

    • demographic data
    • medical histories
    • test results
    • insurance information
    • and other information used to identify a patient or provide healthcare services or healthcare coverage.

What is a breach and what can I do to avoid it?

 A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. This means employees should refrain from posting, commenting, or sharing patient information on social media including patient names, photos, and descriptors that would identify the patient.

What is considered identifiable information?

The most common social media HIPAA violations include:

    • Posting of images and videos of patients without written consent
    • Posting of gossip about patients
    • Posting of any information that could allow an individual to be identified
    • Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
    • Sharing of photos, videos, or text on social media platforms within a private group

“Friending” patients on social media websites is also strongly discouraged. This can lead to accidental identifying of patients, especially if your place of work is listed in your profile and accidental ‘discussion’ about the patient’s care. Therefore, employees in inpatient care roles generally should not initiate or accept friend requests. Do not enter into social media discussions with patients who have disclosed PHI on social media.

Employees should also refrain from messaging or texting PHI or PII on social media or messaging applications not approved by your organization. In general, no personally identifiable health information should be sent in any manner which does not ensure communication encryption in transit and at rest.

So, what do you do if you think you may have exposed a patient’s protected health information or personally identifiable information?

In general, it’s advised to, follow your organization’s Incident Response Policy immediately and notify your supervisor and/or designated HIPAA Security Officer for immediate next steps.

At Live Compliance, we make checking off your compliance requirements extremely simple.

    • Reliable and Effective Compliance
    • Completely online, our role-based courses make training easy for remote or in-office employees.
    • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location. Conducting an accurate and thorough Security Risk Assessment is not only required but is a useful tool to expose potential vulnerabilities.
    • Policies and Procedures are curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real-time.
    • Electronic, prepared document sending and signing to employees and business associates.

Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email me, Jim Johnson at Jim@LiveCompliance.com or visit www.LiveCompliance.com

For more information about DarkWeb breaches please contact us at (980) 999-1585 or email us at support@livecompliance.com


ABOUT EZCLAIM:
As a medical billing expert, EZClaim can help the medical practice improve its revenues since it is a medical billing and scheduling software company. EZClaim provides a best-in-class product, with correspondingly exceptional service and support. Combined, EZClaim helps improve medical billing revenues. To learn more, visit EZClaim’s website, email them, or call them today at 877.650.0904.

Noncompliance of HIPAA Security Rules Has Huge Consequences

Noncompliance of HIPAA Security Rules Has Huge Consequences

The noncompliance of HIPAA security rules has had huge consequences for an IT and health information management company.

CHSPSC LLC, (“CHSPSC”) has agreed to pay over $2 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), for the breach of Protected Health Information (PHI). The Business Associate was notified by the Federal Bureau of Investigation (FBI) that it had traced a cyber-hacking group’s advanced persistent threat into CHSPSC’s information system.

After OCR ‘s investigation, it was found that CHSPSC had “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.” The large health system provided various Business Associate services, including IT and health information management, to hospitals and physician clinics. These violations could have easily been avoided! OCR Director Roger Severino said, “The healthcare industry is a known target for hackers and cyber-thieves. The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”

 

In addition to the monetary penalty, the Business Associate will be required to complete a “robust” Corrective Action Plan (CAP) with monitoring activity for at least the next two years. CHSPSC will also be required to do the following:

Implement technical policies and procedures to allow access only to those persons or software programs that have been granted access rights to information systems maintained
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Conduct accurate and thorough assessments of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI

All this shows that ANYONE can face HUGE penalties, and they would most likely bankrupt a small billing company or an independent physician practice.

 

So, based on this specific example, it is VERY important to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or other vendor, suspect a breach, you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.

Keep in mind, a Business Associate is a ‘person’ or ‘entity’. This means that ALL billing companies—large or small—need to comply with the Federal HIPAA security rules and regulations. So, if your company has not completed an accurate and thorough security risk assessment, there is a possibility that you could be penalized under ‘willful neglect’. (This category alone gas a fine of $50,000 per violation!)

 

So then, what can be done to ensure this doesn’t happen to my billing company or my organization? Well, one of EZClaim’s partners, Live Compliance, can make determining your compliance requirements extremely simple:

Completely online, Life Compliance’s role-based courses make training easy for remote or in-office employees
Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.
Policies and procedures are curated to fit your organization, ensuring employees are updated on all workstation use and security safeguards in or out of the office. Update is in real time.
Electronic, prepared document sending and signing to employees and business associates

 

So, don’t risk your company’s future, especially when Life Compliance is offering a FREE Organization Assessment to help determine your company’s status. Either call Life Compliance at 980.999.1585, visit LiveCompliance.com to schedule an assessment, or e-mail Jim Johnson.

[ Article contributed by Jim Johnson of Live Compliance ]

———————————-

ABOUT EZCLAIM:
EZClaim is a medical billing and scheduling software company that provides a best-in-class product, with correspondingly exceptional service and support, and can help improve medical billing revenues. To learn more, visit their website, e-mail them at sales@ezclaim.com, or call a representative today at 877.650.0904.

Failing to Implement HIPAA Causes Large Fine

Failing to Implement HIPAA Causes Large Fine

Failing to implement HIPAA causes a large fine for a small-town North Carolina health services provider. They were fined $25,000 for multiple, easily avoidable, HIPAA violations for “longstanding, systemic non-compliance” with the HIPAA Security Rule. [ Note: The provider is a part of a health center that offers discounted medical services to the underserved population in rural NC, and the fines were reduced in consideration of this, but it still resulted in a significant monetary loss ].

In 2011, Metropolitan Community Health Services (Metro), doing business as Agape Health Services, filed a breach report regarding “the impermissible disclosure of protected health information to an unknown email account.” The breach affected over 1,200 patients!

In addition to the large monetary penalty, the practice is required to develop and adopt a corrective action plan (which includes two years of thorough monitoring) after the Office for Civil Rights (OCR) discovered that Metro failed to conduct a thorough and comprehensive HIPAA Security Risk Assessment and Analysis. In addition, Metro did not implement a single HIPAA Security Rule Policy and Procedure for the health center. Possibly worst of all, Metro failed to provide workforce members with HIPAA Privacy and Security Awareness training until 2016!

Patients must trust with who they share their personal, private, and protected health information. A breach such as this is obviously devastating for the patient, in addition to their doctor’s reputation. So, how can physicians ensure that they are meeting the HIPAA requirements and have proper safeguards in place to avoid this sort of breach?

First off, an accurate and thorough Security Risk Assessment and Analysis must be conducted to expose and target any potential administrative, physical, and technical vulnerabilities. Doing so highlights any major flaws in a practice’s administrative and technical safeguards, and accentuates the policies and procedures that the practice needs to implement.

In addition to that, the designated HIPAA Privacy and Security Officer must ensure that ALL employees complete HIPAA Workforce training. All employees of the practice, including the physicians, must take HIPAA training to ensure employees have a clear understanding of the HIPAA Privacy Rule and actionable policies and procedures.

So, remember, healthcare organizations and their vendors have a responsibility to be HIPAA compliant, and that starts by performing, updating, or reviewing an accurate and thorough Security Risk Assessment covering your technical, administrative, and physical safeguards. This will help uncover any vulnerabilities, and help you understand what information is being transmitted, shared, and how it is being transmitted.

 

TAKEAWAYS AND THINGS TO CONSIDER:

  • Complete a Security Risk Assessment and establish a Corrective Action Plan that is accurate and thorough.
 Remediate any potential risks or vulnerabilities.
  • A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information (PHI)
  • Develop actionable policies and procedures that clearly outline disclosures of PHI
  • Ensure all employees have a clear understanding of the HIPAA Privacy rule and its policies and procedures

 

Live Compliance provides everything you need to become and maintain your organization’s HIPAA compliance requirements. All policies and procedures can be edited and shared directly with staff from your staff portal. Training are delivered and monitored within your portal, can be customized, role-based, and be accessed anytime and from anywhere. You can also easily send and monitor HIPAA training with one click.

Failing to implement HIPAA can cause tremendous problems and use precious resources and time to implement. Live Compliance makes it 10X easier than trying to do it on your own.

So, take advantage of Live Compliance’s FREE Organization Needs Assessment to understand your immediate compliance needs. For additional details, e-mail Jim Johnson (at jim@livecompliance.com), call (980) 999-1585, or visit their website at livecompliance.com/oa

Live Compliance is a partner of EZClaim, a medical billing software company. For more details about their solutions, visit their website at ezclaim.com.

[ Written by Jim Johnson, President of Live Compliance ]