As We Approach the Thanksgiving Holiday

We find ourselves feeling grateful for you, our loyal customers. We are pleased to have served you for these past 31 years and look forward to continuing to meet your needs for practice management, scheduling, and clinical record software.

For you and your families, we wish a warm and safe holiday. May we all feel grateful for the good in our lives, for the privilege we experience, for the opportunity to work and to grow, for the people we hold dear . . . and for so much more.

Thank you!

Updated Behavioral Health ICD-10 Codes

The article below was written by Seth Krieger, SOS President, and shared with SOS users through the SOS Newsgroup and SOS User Group.


There are a handful of current ICD-10 psych-related diagnosis codes that will change on October 1 (the start of CMS’s 2017 Fiscal Year). Specifically:

F32.8
F34.8
F42
F50.8
F64.1
F80.89
L98.1
N94.3

See this link or type http://surl.sosoft.com/icd102016 into your web browser to view, download, or print a detailed reference sheet from American Psychiatric Association. Or try this link from the American Psychological Association which lists these eight codes which will be come fourteen codes beginning October 1.

You can also view a broader rundown of the upcoming changes on the CMS web site.

You will want to complete all your September claims prior to making any changes! Once your billing for all services through September 30 has been done, then make the needed Dx changes in Lookups > Diagnosis Codes and in affected patient claim setups (professional and institutional), plus in your Case Manager data, if you use SOS’s clinical records product.

Sound like a bunch of work? Well, we have you covered. SOS has created a new report that will sift through the places where you might have used one of these Dx codes, looking for the specific codes that are in the list of October 1, 2016 changes for mental/behavioral disorders. The report output looks like this:

The data in the sample above contains randomly generated values and no actual protected health information.

The highlighted rows belong to patients who have one or more Dx’s in the group above. Yellow signifies Professional (1500) claim setup; green indicates Institutional (UB04) claim setup; and cyan indicates Case Manager (clinical record) data. The report provides a way for you to quickly identify where you will have to make changes to avoid claim rejections and to stay current with the 10/2016 changes.

Rather than changing current claim setups, OM Pro users should create a new claim setup for Professional and/or Institutional claims, replacing the diagnosis codes that have changed. Don’t forget to mark the new claim setups as the Default before starting to enter new services in October!

IMPORTANT: This report includes the entire Active Patient List and could contain sensitive data. If your organization uses SOS’s Advanced Security to restrict staff access to patients, SOS recommends that you use the Admin Module security settings to limit usage of the report to just members of your “Supervisor” access group. If you need assistance with this task, please contact Support. An alternative would be to install the report, run it, then delete it.

This new report for SOS users can be downloaded at the following address: https://sosoft.com/files/downloads/ICD10-2016.rpt. Please note that clicking the link will download the report, not bring you to a page. If this does not work for you, please cut and paste the link into your browser URL bar.

Once downloaded, copy the report file into the SOS folder of only those computers that will be used to generate the report. Next, a Supervisor User should add an entry to one of your Report menus. Just open the desired menu, press the <Insert> key (or right-click, then select “Add”). Complete the form as shown below and save.

If you have any questions, let us know.

How-To Request Help through the On-line Help Desk

Introduction

Did you know that your current Support/Update agreement allows you to get support for SOS products by sending an email or by filling in a request on the SOS Help Desk website? Both of these techniques will create a new service ticket at the Help Desk, and a notification that a ticket is waiting automatically goes out to all support staff.

Emailing a request

Simply address your request to “support@sosoft.com”. Please include a brief description of your issue. (Note that emailing a specific person at SOS is not a good idea. That person could be out of the office or busy with another project and not see your email for a while. Using the Help Desk is the best way to get a prompt response.)

Creating a ticket on the HelpDesk website
  1. Open your web browser and go to http://help.sosoft.com. (You will automatically be redirected to the Help Desk address, which is actually https://sosoft.us/hesk.) Here is what it looks like:

    2016-09-13-help-desk
  2. Click the indicated “Submit a ticket” link to open a ticket form, which looks like this:2016-09-13_submit-ticketBe sure to fill in all the required fields (indicated by an asterisk). It is helpful to us if you also fill in your phone number and/or the licensee name that appears at the top of your SOS product’s main screen. If you want to send a screenshot or any other file, you can do so in the Attachments section of the form, but be sure to check anything you are sending to assure it does not include any patient information like names, phone numbers, diagnoses, services rendered or other protected health information (PHI).

. . . be sure to check anything you are sending to assure it does not include any patient information like names, phone numbers, diagnoses, services rendered or other protected health information (PHI).

3. When you have completed the form, click the “Submit Ticket” button at the bottom of the screen to send it. When an SOS staffer has responded, you will receive an email notification at the address you left in your ticket.

HIPAA at 20: Administrative simplification?

Our company, Synergistic Office Solutions, was founded in 1985, 31 years ago. In those early years, writing practice management software was the easy part of the job. The challenging bit was creating custom claim forms for payers upon whom there were, at that time, no requirements for consistency. While electronic claim filing was possible, our customers who were willing to pursue that option were intrepid explorers. Not many went that far into the wilderness.

Then, in 1996, Congress passed a bipartisan bill aimed at allowing continuity of health insurance coverage for workers moving from one job to the next. That same bill adopted standards for claims and other electronic transactions and began the move toward a single paper claim form, the HCFA 1500 . . . with the huge goal of ‘Administrative Simplification.’

Twenty years ago, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Department of Health and Human Services (HHS) to adopt national standards to improve the electronic exchange of health care data. This national standards mandate falls under a part of HIPAA called Administrative Simplification.

As noted in a recent blog post, in 1996 a considerable portion of every health care dollar was spent on administrative overhead for processes that involved:

  • Numerous paper forms
  • Telephone calls
  • Nonstandard electronic commerce
  • Many delays in communicating information among different locations

Since the 1996 passage of HIPAA, HHS has released numerous regulations to adopt required standards. Today 93.8% of all health care claims transactions are conducted in standard form. The standards have helped pave the way for the interoperability of health data to enhance the patient and provider experience.

For details about Administrative Simplification laws and regulations, view the CMS timeline.

For most of us today, HIPAA is likely to conjure up thoughts of protecting patient privacy and the security of patient data, PHI . . . what is often viewed as an increase in administrative responsibility rather than a simplification. But for those of us who have been around long enough to remember some of those unique paper forms, and the totally different claim file structures required by various clearinghouse companies and hundreds of payers, state and government entities, HIPAA has simplified our work. Even so, we do still have a long way to go before we can claim to have achieved anything like ‘administrative simplification.’

For those of you who have been in behavioral health practice or administration longer than twenty years, what are your memories of pre-HIPAA practice? Do you think the law has improved things for patients? What about for you?

Please share your comments below.

New SOS Project: Product How-To’s

A couple of months ago, we surveyed our customers about the type of content we share with you and how you receive it. One clear interest was in receiving How-To information for our products. We decided that the best way to accomplish this would be regular posts here in our blog on how to accomplish various things in our software.

So here we go with a simple start….

How-To Use Toolbar Help in SOS products

Introduction

New to SOS products? Or maybe you have been using our software for so long you have forgotten some basics!

As you move from window to window and field to field in SOS Office Manager, Case Manager or Appointment Scheduler, you will find explanations and tips appropriate to the currently selected page, button or field up in the left side of the toolbar. This can be especially useful in parts of the program you do not use often, for example, setting up a sliding scale.

Here’s the process:
  1. Go to Lookups and click on Sliding Scale Schedules.
  2. Click on the left side of the toolbar to expand the window.
    toolbar-help
  3. Follow the instructions in the help box to assure that you correctly enter information.
    slidingscale
  4. As you move from field to field, you will see that the content of the toolbar box changes.2016-09-07_12-48-13
    Conclusion

    You can use Toolbar Help in most areas of SOS programs. Still not sure how to do something? If for any reason you are uncertain about how to accomplish a task you want to do, a Support Tech can assist you.

    1. Call Support: 352-242-9100, Option 2.
    2. Support Hours: Monday through Friday, 10 a.m. to 6 p.m. ET
    3. No Support Agreement? Call Trish at 352-242-9100, Option 1 or email Trish@sosoft.com to find out how to remedy that situation!

     

     

 

 

More on HIPAA Security: Safe Email

As our privacy and security officer, SOS President Seth Krieger reads lots of blogs and listens to lost of podcasts about security in the cyber world.

One of the blogs Seth follows is provided by a company called Adelia Risk. Early in August, he read a blog post that I want to share with you.

HIPAA Compliant Email: 6 of the Best Ways to Email PHI

How do you send PHI via email and still follow HIPAA? This is one of the most common questions we get.

It’s an understandable question. Email has become the communication tool of choice in the digital age. Most workplaces rely on it heavily.

If you’re a HIPAA-regulated business, email use gets a lot more complicated. It’s even more complicated when you want to email PHI, or Protected Health Information.

Good news: it is possible to send PHI via email, and we’re going to tell you exactly what it takes to ensure HIPAA compliant email.

But before we jump right in, let’s review the basics. . . .

As behavioral healthcare providers, we know you are very concerned about the privacy of your clients. If you are not using a secure email product to send PHI, you are putting that privacy at risk. Please click on the link above or here so you can read the full article. We do not earn anything from this company, but we are sharing this with you because the author, Josh Ablett, appears to know a good deal about his subject.

Please take a look at the article and feel free to add your comments and reactions below. If you are using a secure email product, please share your experience below!

OCR Plans Wider Investigation of HIPAA Breaches Affecting Fewer Than 500

I know I often talk here about HIPAA requirements, HIPAA breaches, and HIPAA fines. That is because I believe this to be a very important issue . . . one that small and mid-sized behavioral health organizations do not seem to concern themselves with very much. The matter of doing a practice becomes the driving factor, and regulatory requirements get glossed over.

I wanted to be sure you have the information from a recent notice from the Office for Civil Rights (OCR). In an email to the OS OCR Privacy List, OCR announced an initiative to more widely investigate smaller breaches.

Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.  Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches.  Among the factors Regional Offices will consider include:

*   The size of the breach;
*   Theft  of or improper disposal of unencrypted PHI;
*   Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
*   The amount, nature and sensitivity of the PHI involved;  or
*   Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.

Let me explain the thinking behind this initiative. OCR believes that breaches of PHI occur because of certain root causes. They have largely focused on large breaches in order to determine the root causes of such events because they affect so many people.

The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.

Focusing on smaller breaches will allow OCR to begin to determine if root causes in smaller events are the same as or different from those in larger events. This will hopefully result is recommendations about how smaller organizations can remedy any problem situations.

Remember, if the PHI you maintain is located on computers, removable drives, or cloud storage that is fully encrypted (while in motion and while at rest), it is considered a safe harbor. The obvious simplest solution for everyone is to encrypt every place in which the PHI for which you are responsible resides electronically . . . your computers, your storage, your emails . . . and to be sure your file cabinets are locked!

Phase 2 HIPAA Audits Are Under Way

On Monday, July 11, 2016, letters were delivered to those 167 organizations chosen for ‘Phase 2’ HIPAA audits.  These audits . . . called ‘desk audits’ . . . will look at the selected organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules. The selected organizations needed to reply by July 22 and to follow a structured process after that. You can read detail about these audits on the OCR website. Be sure to scroll down a bit so you see the Phase 2 Audit Program Protocol.

According to OCR, these Desk Audits will cover specific aspects of compliance:

Requirements Selected for Desk Audit Review

Privacy Rule

Notice of Privacy Practices & Content Requirements   [§164.520(a)(1) & (b)(1)]

Provision of Notice – Electronic Notice   [§164.520(c)(3)]

Right to Access  [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3),  (c)(4), (d)(1), (d)(3)]

Breach Notification Rule

Timeliness of Notification  [§164.404(b)]

Content of Notification  [§164.404(c)(1)]

Security Rule

Security Management Process —  Risk Analysis  [§164.308(a)(1)(ii)(A)]

Security Management Process — Risk Management  [§164.308(a)(1)(ii)(B)]

 

Starting in the Fall, Business Associates will be up for review.

I wonder if any SOS customers or readers of this blog have been selected for audit. If so, we hope you will share your experience.

Records Clean Up: What are your policies and procedures?

I spent much of today scanning and shredding records that I no longer want to store in physical form. These are all business records of various sorts, from vendor invoices we have received and paid to customer invoices we have sent and been paid for. This is a task I have been working at in small bits for some time.

I tend to keep things. When it comes to records, I would always rather be safe than sorry. The outcome of this preference is that untoward amounts of paper wind up in our file cabinets.

The ability to scan records for electronic safekeeping has begun to ease this tendency to accumulate. However, because it takes so much time to do the scanning and shredding, the task gets put off and becomes very large.

A few years ago, we had an office-wide clean up, throw-away day. While we devoted one full day to the process, we had actually been doing the tasks over several days and ended with one final event. We brought a couple of tons of paper, old computers, old books and software manuals to our local recycling facility. It was a very satisfying process.

Do you have policies for the records in your organization? Do you know what your state requires for record maintenance? For how long must you keep business records? What about clinical records? Do you have procedures for purging old records of any kind? Or do you just hang onto everything like me?

Please share your thoughts about and experiences with record retention and destruction. I would love your suggestions for how to make this process less onerous! Just enter your comments below.

Successful Integrated Care: Behavioral health in primary care practices

New models for the delivery of behavioral healthcare services are emerging just as new payment models for all healthcare services are being explored. Behavioral Healthcare Magazine recently reported on the integration of behavioral health providers into primary care settings by Christiana Care Health System.

Christiana Care is an organization that already uses evidence-based care across their organization. They had previously embedded psychologists in their neurology, cardiology and cancer departments. Now they have added psychologists and social workers into their primary care practices.

Linda Lang, M.D., chair of the department of psychiatry at Christiana Care makes the following suggestions for organizations considering such a move.

Integration best practices

For fellow health systems considering whether to integrate behavioral healthcare into their primary practices, Lang offers the following advice:

Be flexible. For behavioral health specialists who are used to sitting in an office, working in a primary care setting can be a jolt.

“It’s a much more fast-paced, ‘anything can happen throughout the day’ kind of thing,” Lang says.

Define expectations. Primary care and behavioral health specialists who will be collaborating need to clearly define their respective roles in their working relationship.

“Helping primary care doctors understand what they can expect from the behavioral health provider is important,” she says. “Some primary care doctors really want to manage their patients fully. Others prefer to have a collaborative approach.”

Understand the value of staff buy-in. When presented with the integrated model, caregivers at Christiana Care were receptive, which helped with implementation.

“We were able to get our psychologists and social workers to sign on for something new and exciting, knowing we were meeting the needs of folks in a much different way,” Lang says. “Training and buy-in are very important for this to be successful. There are some of us who have been doing a certain model for a long time. We have a group of people here interested in learning new models of care. Medicine changes all the time. We practice an evidence-based way of delivering all care, and there’s lots of evidence to show this works better. We all are of similar mindset that we want to do what’s best for the patient. We want to grow and learn new techniques.”

Working in a traditional medical setting is not yet usual for behavioral health specialists who are not psychiatrists or nurse practitioners. It is clear that this is one model for comprehensive patient care that will expand.

What do you think it will take for behavioral health and primary care practitioners to find comfortable and useful ways of practicing together? Please share your comments below.

Ransomware, HIPAA, and You

A couple of times this year, we have written about “ransomware” and the threats it poses to all healthcare providers. Some of the behavioral health providers we serve do not realize that this trend is a threat to them and their patients and the Protected Health Information (PHI) they house on behalf of those patients.

Apparently, the Office of the National Coordinator for Health IT (ONC), the Office for Civil Rights (OCR), and the Department of Health and Human Services are also concerned about this new trend.

On July 11, 2016 OCR published a Fact Sheet on Ransomware and HIPAA. If you have computers in your office that are connected to the Internet, we strongly recommend that you take a look at this Guidance. OCR did a thorough job of discussing “ransomware” and its implications for you.

Don’t bury your head in the sand about these threats. You need to understand how they pertain to you, what you should be doing on a regular basis to prevent such intrusions, and whether your current HIPAA procedures are enough.

Anyone willing to share an experience with “ransomware”? Please share your comments below.

Updates, New Information and New Staff

We are regularly surprised by the lack of training provided by practices and other organizations to new staff members when they come aboard. If the person they are replacing does not hang around to do training on our software, the new user is left to learn on their own. Even for an experienced behavioral health practice manager or billing specialist, starting a new job and jumping into a new software product without training can lead to under-use and even to misuse of the software tool with which they are provided.

Synergistic Office Solutions can provide training to new staff people for what we view as a reasonable fee. Since much of their time will be wasted hunting around for how to do their jobs without guidance, investing in training for them can be a wise tack for a practitioner to take.

I thought about this when I got a new Centers for Medicare and Medicaid Services (CMS) notice last week indicating that updated ICD-10-CM and ICD-10-PCS codes are now available on their website. Here is the notice.

 2017 ICD-10-CM and ICD-10-PCS Files Available

The 2017 ICD-10-CM and ICD-10-PCS code updates, including a complete list of code titles, are available on the 2017 ICD-10-CM and GEMs and 2017 ICD-10-PCS and GEMs

 webpages. The posted files contain the complete versions of both

ICD-10-CM (diagnoses) and ICD-10-PCS (procedures).

  • 2017 General Equivalence Mappings (GEMs) will be posted in August 2016
  • Official Coding Guidelines and the Present on Admission (POA) Exempt List will be available soon

Updates of software, of code sets, of most anything, usually contain changes that the creators of the update consider important. If this were not so, they would not bother to create and notify users of the update.

After reading the CMS notice, I found myself thinking about new staff members in organizations that use HCPCS codes instead of CM codes. Some do not even know that they use a different code set than most organizations. How could they possibly be expected to know they need to attend to this update of codes if they do not even know which codes they use.

We here at SOS believe that the more information you and your staff have, the more easily and effectively you will be able to do your jobs. Please help your staff learn what they need to know. They will reward you by increasing your payer reimbursements!

 

 

Vacation and your mental health

Last week I was at a 10-day yoga training. Later this week, I will head out for a long-weekend holiday celebration. Vacations have become more important to me over time. They are times for me to recharge, rest and restore enthusiasm to my day-to-day life.

Research supports that vacations are important to your health, to your relationships and to your productivity. Some say we should all vacation at the same time to get the best effects. Other research supports taking shorter, more frequent vacations.

What purposes do vacations serve for you? Spending time with family? Entertaining children when they are out of school? Catching up on work around the house? Traveling to far-off places? Pursuing the adventure of a lifetime? Or is rest and recharging more for you?

Please share your comments below.

 

 

Violence, Fear and our Biases

I was not sure what I was going to write about today. I am in the midst of preparing to leave for another yoga training and I am feeling a bit overwhelmed. Then I got an email newsletter from the Senior Minister of the Unitarian Universalist Association, Church of the Larger Fellowship, of which I am a member. I decided that sharing her post with you would likely be more valuable than most of what I could write.

The Rev. Meg Riley is a particularly articulate individual whose newsletters I always appreciate. She is one of those rock solid people . . . the ones we all hope to have in our lives. As providers of behavioral health services, you may be one of those people to your clients.

As we try to make sense of or to explain away the violence and hatred demonstrated at Pulse on Sunday morning in Orlando, we may find ourselves Struggling for Words, just as Rev. Meg was.

May we all have peace in our lives and in our hearts. May we all experience love and share it with others. May we all find ways to let go of anger so as not to hurt others.

 

Sensitive Data Security: Beyond HIPAA

I don’t know about you, but my inbox has recently been inundated with newsletters and emails about data security—or rather, insecurity. While most of these have been aimed at healthcare providers, not many have been specific to behavioral healthcare.

Some folks used to believe that Protected Health Information (PHI) is only at risk and covered under HIPAA if you maintain it electronically. Now it is clear that your paper records are also at risk—and their loss by accident or by theft is a data breach by anyone’s definition. It seems that all healthcare information has become the hot acquisition for criminals everywhere, both cyber criminals and the low tech variety.

Recently, one of our SOS clients asked in our User Group whether other folks have cyber insurance. There were no replies. Take a look at some of these articles by IDExperts. They may convince you that the answer to that question about cyber insurance should be ‘of course!’

Please share your comments below.

PQRS and Psychologists: 2014 data

In late April, I received an email from Dr. Carolyn Stimel, Director of Professional Affairs and Acting Interim Executive Director for the Florida Psychological Association. She was sharing information provided by the American Psychological Association Practice Organization (APAPO) that I wanted to pass on to you. Those of you who are members of APA and contribute to the Practice Organization may have already read this information in the APAPO’s Practice Update.

The short version of this report can be boiled down to ‘perseverance pays.’ The longer version of the story includes the at-first futile but now successful efforts by a California psychologist. You can see the detail in the American Psychological Association Practice Organization’s article. The report also contains steps you should take if you were denied the incentive even though you believe you reported properly.

The psychologist’s Physician Quality Reporting System (PQRS) report to CMS for 2014 included data on 8 measures. According to CMS, in order to receive a 0.5% incentive payment, she would have needed to report on 9 measures. She argued that she could not find a 9th measure that was relevant to her practice and part of her scope of practice. With the help of an attorney, and ultimately the APAPO, she appealed and won.

If you tried to qualify for the incentive payment and were rejected, be sure to take a look at this report. If you have opted out of being a Medicare provider because you don’t want to deal with reporting quality measures, please reconsider. We baby boomers now on Medicare would like to be sure we can receive the quality services provided by psychologists.

The APA Practice Organization is supported by member dues.

 

Business Associates: Are you covered?

We had our regular HIPAA training with all of our SOS staff this morning. This is a sometimes unexciting meeting, as we review SOS policies and procedures related to HIPAA and Protected Health Information (PHI). This morning, we noticed that the amount we have learned about HIPAA, our responsibilities as a Business Associate and the responsibilities of our mostly behavioral health customers as Covered Entities has resulted in much more refined discussion of what we should all be thinking about.

One of our regular concerns is that we, as a Business Associate to our customers, have in place and understand how to act on, policies and procedures to protect the PHI of our customers should it ever be in our hands.

This morning we found ourselves talking about the danger to Covered Entities of not having Business Associate Agreements (BAAs) with their computer tech, maintenance and repair consultants, and having no idea what the policies and procedures of those Business Associates are.

The Office of Civil Rights (OCR) sent out this information on May 3, 2016:

Covered Entities Should Consider:

1.  Defining in their service-level or business associate agreements how and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use or disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.

HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.  (See the definition of security incident at 45 CFR 164.304).  HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).

According to the US-CERT, cybersecurity incidents could include the following types of activity, but are not limited to:

§  Attempts (either failed or successful) to gain unauthorized access to ePHI or a system that contains ePHI.

§  Unwanted disruption or denial of service to systems that contain ePHI.

§  Unauthorized use of a system for the processing or storage of ePHI data.

§  Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.

2.  Indicating in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate, respectively.  Keep in mind; incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable.  The quicker the incident is reported, the faster a covered entity or business associate can respond, possibly:

§  Minimizing the damages caused by the security incident.

§  Protecting and preventing further loss of electronic patient health information.

§  Preserving evidence for forensic analysis, if necessary.

§  Regaining access to and secure information systems.

3.  Identifying in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report.  The report should include:

§  Business associate name and point of contact information.

§  Description of what happened, including the date of the incident and the date of the discovery of the incident, if known.

§  Description of the types of unsecured protected health information that were involved in the incident.

§  Description of what the business associate involved is doing to investigate incident and to protect against any further incidents.

4.  Finally, covered entities and business associates should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices.  If not, ePHI or the systems that contains ePHI may be at significant risk.

I know all of you have BAA’s in place, so the OCR’s advice is just repetitious to you. Or do you? If you do not know what your BAA’s should and do contain, if you do not have BAA’s with everyone who is not your employee and who may see your PHI, if you do not know your responsibilities as a Covered Entity, if you do not regularly train your employees on HIPAA and its requirements…please take a look at OCR’s website where this information is provided.

We worry about you guys! Please make sure you (and your patients) are protected!

HIPAA, Privacy and Security ‘in the Cloud’

Here at SOS Software, we talk to lots of people each day — current customers as well as new prospects — and frankly, we are often surprised by what people say. Maybe you have heard comments like these, too.

  • “I always communicate with my clients by email. Who is going to see my email?”
  • “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”
  • “I am the only one in my office. It would be silly to encrypt my laptop.”

Every time I hear such comments, I get concerned for the clients of the person speaking. After all, their understanding of their responsibility to secure and keep private the Protected Health Information of their clients is limited, at best. Finding secure ways to maintain and to safely share the PHI of clients is what the Health Insurance Portability and Accountability Act (HIPAA) requires of Covered Entities.

What steps and tools will help you do this? Let’s go through comment by comment.

  1. “I always communicate with my clients by email. Who is going to see my email?”First, please understand that email is not secure. At the foot of every email I send to a customer is the following statement: REMEMBER: Typical email is not secure. Never include sensitive financial, personal, health, or account credential (eg. password) information in unencrypted email communications!

SOS President, Seth Krieger, uses the analogy of a postcard when talking about email. You should only send information that you would be comfortable mailing on a postcard — an open, totally unsealed document. That is because email is so easy to hack. It may be unlikely, but it is very easy.

The solution? Encrypted email. We use a product called Virtru when necessary. This morning I got an email from them detailing new and updated features in their Pro product. One of these was right on target: HIPAA Compliance Rule Pack. In fact, they have a white paper called HIPAA Compliance in the Cloud that you might find useful. There are certainly other companies that provide encrypted email services, some free of charge. Please find one for your organization. (SOS has no relationship with Virtru except that we subscribe to their product.)

2. “I definitely want to use a cloud product for my records. That way I don’t have to worry about security or backup. The company says they are HIPAA compliant and will sign a BAA. They must be okay.”

Cloud products can make it easy for you to login from anywhere that you have an internet connection. If they are providing a hosted product, they keep the software up to date for you and certainly back things up. But just because a software provider or cloud storage company says you do not need to worry about anything does not mean that is so.

As the Covered Entity, you are responsible for doing due diligence on any provider of services you use. You need to be sure that the methods they say they are using and the places they say they are storing your data are what they actually do. Signing a BAA does not guarantee that their line staff know what handling PHI actually means.

In fact, you need to understand that a product or a company cannot be HIPAA compliant and cannot guarantee that you will be HIPAA compliant. They are merely providing a tool for your use. If you misuse the tool, you are not behaving in a compliant fashion. For example, you need a login and password to get to your account on their system. But when you get up to take care of your crying infant and your four year old sits down at your computer, your client information is exposed and you are not using the software tools in a HIPAA compliant fashion.

HIPAA requires that you have policies and procedures to secure and keep private the PHI entrusted to you — and that you follow them. No one else can do that for you.

3. “I am the only one in my office. It would be silly to encrypt my laptop.”

Being the only one in your office is no guarantee of security. A disturbance in your waiting room while you are with a client will certainly result in your leaving for a few moments. Your computer is likely exposed to your client during that time. Being a solo provider surely does not prevent you from leaving that unencrypted laptop on the subway. Lost or stolen unencrypted computers are among the largest source of breached health information.

An encrypted computer is called a “safe haven” in HIPAA-speak. If the machine is encrypted, you are protected from charges of willful neglect and your clients’ sensitive information is shielded from prying eyes and from identity thieves intent on making big money from stealing health records.

The bottom line is that you are responsible for following the requirements of HIPAA. Do you know what they are? How are you handling your responsibilities? Are your employees properly trained and updated often?

Please share your comments in the section below.

Office for Civil Rights Launches Phase 2 of HIPAA Audit Program

On March 21, the Office for Civil Rights (OCR) announced the second phase of its mandated audit program. In the first phase, OCR primarily audited organizations that had reported a serious breach or against whom a complaint had been filed. In this second phase, OCR will proactively “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

The first step in this process will be an email to covered entities and business associates requesting updated contact information. If there is no response, OCR will utilize publicly available information to create the pool for their audits.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically[sic] available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.

If you receive an email from OCR, it does not mean you will automatically be audited, but not responding to the email will not protect you from audit.

We have been writing about HIPAA since 2008, when I first started writing this blog. A search of our blog posts since then turned up 62 mentions of the Health Insurance Portability and Accountability Act. This is an important issue for all covered entities and their business associates. If you do not know what those terms mean, if you have no Privacy Practices or documented Security Procedures, it is time you get some. If you have not trained new staff about HIPAA, now is the time to do so.

Willful neglect of these requirements will get you in big trouble if you have a breach. Being a small provider of behavioral health services does not protect you. Perhaps it is time for you to review your Risk Assessment, Privacy Notice, Privacy Practices, and Security Procedures just in case you are selected for audit.

Please share your comments in the box below.

“Ransomware” and your computer

The article below has just been shared by Seth Krieger, Ph.D., President of Synergistic Office Solutions, Inc., with our User Group. I thought our blog readers might also be interested.

Many of you are aware that there has been an explosion of so-called “ransomware” malware infecting systems ranging from stand-alone home computers to hospital systems. Once you have been infected, this malware gets busy encrypting files on your drives — including shared network drives — and ultimately notifies you with a screen message that you will have to pay a ransom to regain access to those files.

Two people I know (one a family member, and one a close friend) who work in healthcare were recently infected through email attachments clicked by staff in their offices. Luckily, both were able to stop the infection from getting too far, and had good backups from which they were able to recover the files that had been encrypted.

As with most serious computer threats, these depend on the naiveté of computer users to start the ball rolling. At present there are two main vectors of infection. One is email attachments. Watch out for GIF’s and supposed attached “invoices”, both of which are known delivery mechanisms for ransomware, and could even come from the email address of someone in your contact list.

The other vulnerability being exploited more and more frequently is delivery via flash, java, and acrobat pdf extensions in web browsers. This type of malware is often delivered via web site ads that use these extensions. Your best bet is to disable these extensions, or at least set them to require your approval before running. Most web sites will work fine without them. At present, it appears that the most secure browser to be using is Google’s Chrome browser, which keeps itself up to date automatically, and prevents many attacks that other browsers may not.

SOS recommends that you also install a product called MalwareBytes, which is available in a basic, free version as well as a more rigorous paid version. It works alongside your anti-virus to extend the range of threats that can be detected and disarmed. (We have no business association with MalwareBytes except that we use their software.)

If you should suspect that you are infected with an active ransomware program, immediately disable all network connections to other computers to prevent the infection from spreading. Ultimately, however, full recovery will depend on whether or not you have current backups of files that were, or could be, encrypted.

In the past, backups were insurance against hardware failure, fire, theft, or accidental erasure. These are pretty rare events, so many computer users were less than diligent about backing up their computers and critical business data. Thanks to these ever-increasing malware attacks, the need for good backups is also increasing at the same rate. In addition, some of these infections are sophisticated enough to target backup files that can be located on USB drives and network shared resources, so off-line backups (removable media) are more essential than ever!

PLEASE prepare yourself:

  • Use a highly rated anti-virus product, as well as additional malware protection such as MalwareBytes. Make sure that it is set to update itself at least daily.
  • Be VERY careful about clicking email attachments. When in doubt, call the sender to be sure it is legit.
  • Disable flash, java, and adobe pdf browser extensions. Consider using Chrome as your default browser.
  • Backup your entire system periodically, and your irreplaceable data every day, to media that is then disconnected from the potentially infectable computer. On-line backup solutions like Carbonite, Mozy and CrashPlan have their place, but unless you have super-fast internet, having a copy of your backup locally can get you back in business much faster than downloading backups from one of those services.

Be careful out there!

Seth Krieger, Ph.D.
President, Synergistic Office Solutions, Inc.