If your practice isn’t HIPAA compliant, be prepared to pay outrageous OCR fines.

The rules for HIPAA Compliance is managed by the Department of Health and Human Services but it is enforced by the Office for Civil Rights (OCR). If you’re in violation of HIPAA, you may be one of the thousands investigated each year.

Between 2015 and now, the OCR has distributed large scale fines to 28 businesses that exceeded $40 million (and more than half of that came from one year alone).

2015: $6,193,000
2016: $23,504,800
2017: $17,093,200 (Results at the end of May)

This is a huge deal considering that we’re only halfway through 2017, but the accumulation of fines comes close to last year’s record-breaking amount. Even more concerning, these large scale settlements are only a fraction of the fines given each year. For a full list of HIPAA investigations (affecting 500 or more individuals), view OCR’s breach portal here.

You may be wondering how those numbers got so large from such a small sample of businesses; this is because not all penalties for HIPAA violations are equal. Each violation can range from $100 to $50,000 and each group can be found with many violations. It also factors negligence and the American Medical Association (AMA) clearly lays it out here:

HIPAA ViolationMinimum PenaltyMaximum Penalty
Unknowing$100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)

 

$50,000 per violation, with an annual maximum of $1.5 million

 

Reasonable Cause$1,000 per violation, with an annual maximum of $100,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million

 

Willful neglect but violation is corrected within the required time period$10,000 per violation, with an annual maximum of $250,000 for repeat violations$50,000 per violation, with an annual maximum of $1.5 million

 

Willful neglect and is not corrected within required time period$50,000 per violation, with an annual maximum of $1.5 million$50,000 per violation, with an annual maximum of $1.5 million

 

 

Most investigations begin because of theft or loss, but the top five issues in those investigated cases have been the same for over ten years:

  • Impermissible Uses & Disclosures
  • Safeguards
  • Administrative Safeguards
  • Access
  • Technical Safeguards

Don’t get on OCR’s breach list. Check with your internal practices and make sure any third party that has access to any PHI is secure as well. Also make sure you have a signed Business Associate Agreement with your vendors; not having one is an expensive HIPAA violation and the easiest to avoid.

Physical Therapists in These 10 States Need to See This

The Physical Therapy Licensure Compact introduced in 2014 has just met the requirements it needs to allow licensed PTs to provide care across these state boundaries.

These are the ten states currently in the compact:
– Oregon (The first state to join!)
– Arizona
– Kentucky
– Mississippi
– Missouri
– Montana
– North Dakota
– Tennessee
– Utah
– Washington

When this was first introduced, the Federation of State Boards of Physical Therapy (FSBPT) attributed state boundaries as well as differences in licensure and practice requirements as barriers to accessing healthcare. What PTLC does is open the doors between those state boundaries by removing those differences in requirements. As a result, qualified PTs and PTAs in the above states would gain “compact privileges” allowing them to practice in any or all of these participating compact states. All they have to do is manage the one license in their home state.

It’s important to note that patient safety and protection is still a main priority. Allowing providers to practice across state lines will not reduce the quality of care because the states signing the compact are working together and committing to the same set of standards for their PTs. The signing states should be aware of this and know that the compact agreements will supersede other conflicting statutes in the interest of patient protection.

The FSBPT also states that the potential positive impacts on public protection with increasing licensure portability include:

  • Increased patient access to qualified providers
  • Continuity of care for patients as they relocate or vacation
  • Enhanced disciplinary data and improve notification
  • Improved information sharing between jurisdictions

When more states sign the compact down the line, physical therapists in those locations could branch out their practice even more. Patients too would benefit because they’d have greater options in finding the best provider for them. With the practice of Telehealth growing, PTs can easily meet patients face-to-face with crystal clear quality, anywhere.

In the end, these ten states have made a huge breakthrough for physical therapy and it should be seen as a catalyst for other major areas of healthcare.

Texas Senate Bill Tackles Huge Telemedicine Hurdle

After a six-year conflict between the Texas Medical Board and Teladoc, Texas lawmakers just removed a state rule requiring providers to have a face-to-face consultation before providing telemedicine services. This changes the game for residents in who and how those patients access healthcare.

[BACKGROUND]

In 2011, the Texas Medical Board sent a letter to Teledoc stating that certain practices had violated the agency’s rules about establishing “a proper professional relationship with the patient” and threatened disciplinary action. Teledoc sued, arguing that the letter overstated existing rules.

As part of the actions against Teledoc, TMB had attempted to revoke the licenses of doctors working for the company and tried to bar them from providing services. A 2014 opinion from the Texas Court of Appeals however decided that TMB’s claim was invalid and ruled in favor of Teledoc.

[2017]

Several years and lawsuits later, the Texas Senate has amended SB1107 to remove the requirement of face-to-face consultations if the provider has never seen the patient.

Section 111.004
[ (5)     require a face to face consultation between a patient and a physician providing a telemedicine medical service within a certain number of days following an initial telemedicine medical service only if the physician has never seen the patient].

This is a huge leap forward for Telemedicine in Texas as it enables providers in the state to use the technology more freely and closer to its potential by reaching more patients, especially in underserved areas. It’s important to note that while this piece of text is scrapped, it is on the condition that patients will continue to receive care that is on par with an in-person visit.

The House Passed the AHCA with a 217-213 vote, now what?

The Affordable Care Act that brought health coverage to millions of uninsured Americans is now being threatened by the GOP’s plan to Repeal & Replace. Under this new plan, our current law requiring insurers to accept all applicants, (at the same rates regardless of pre-existing conditions) is in the talks of being rolled back while its replacement is being voted in; but that’s not all that’s being targeted.
Meet the AHCA (American Health Care Act) and some of its particularly notable sections.

C_AzKLdUAAAtPPZ

(Sec. 101) Eliminates funding after FY2018 for the Prevention and Public Health Fund.
Among these prevention programs are Alzheimer’s, Diabetes, Heart Disease & Stroke and Immunizations. For the full list of programs, visit: https://www.hhs.gov/open/prevention/

(Sec. 103) Federal funds may be withheld from states for payments to family planning providers.
The one example given? Planned Parenthood. Funds should not be withheld from a state for supporting a non-profit that provides versatile care for women and men’s reproductive health.

(Sec. 112) Beginning 2020, the bill eliminates Medicaid services to adult enrollees made newly eligible for Medicaid by PPACA. It also eliminates the requirement to provide “essential health benefits”
(such as ambulatory patient services, emergency services, hospitalization, maternity and newborn care, mental health and substance use disorder services, prescription drugs, rehabilitative services, laboratory services, preventative and wellness services, and pediatric services) These are services that should remain covered by Medicaid.

(Sec. 113) Eliminates Medicaid Disproportionate Share Hospital. (DSH hospitals received additional payment for treating low-income patients.)
This bill would eliminate the additional funding hospitals get for treating low income patients. Effectively incentivizing hospitals to ignore those who can’t pay.

(Sec. 114) Eliminates retroactive Medicaid coverage to applicants; state can also delay or deny coverage pending immigration status/verification of status – during which time they will not be covered.
If the verdict turned out that the applicant was eligible for Medicaid but required care while being verified, are they expected to hold off on receiving help until they’re officially and verifiably covered?

(Sec. 115) Gives additional federal funding to states that did not expand Medicaid coverage under the ACA. If said state later expands Medicaid under the ACA, they are ineligible for said funding.
Not only do hospitals not receive additional payment for serving those with low-income, the entire state will be ineligible for additional funding if the state expanded their Medicaid coverage. On top of this, why do states that didn’t expand their coverage receive even more money? Why are they getting paid for not helping their poorer residents get health insurance?

(Sec. 116) Medicaid eligibility subject to checks every 6 months, which requires additional funds. (“The bill temporarily increases by 5% the Federal Medical Assistance Percentage”).
Amidst all the cutbacks to preventative health, insurance coverage and hospital subsidies this bill proposes that we allocate funding towards repetitive checks to make sure citizens aren’t falsely eligible to be covered by Medicaid. The frequency of checks is mountainous.

(Sec. 133) Health insurers must increase premiums by 30% for one year for enrollees in the individual or small group market who had a break in coverage of more than 62 days in the previous year.
This sounds like penalizing one for not having health insurance; a familiar complaint, except now the application process is less forgiving (See Sec. 114).

(Sec. 205) Repeals the penalties for those not following the Individual Mandate of having minimum essential coverage (beginning after Dec 31, 2015).
They’ve removed the penalty on individuals for not having health insurance, but Sec. 133 shows that if they were uninsured for 62 days and then later want insurance, they’ll receive a year-long hike in premiums when they do eventually opt in.

(Sec. 206) Removes the Employer Mandate, effective after Dec 31, 2015).
By this section, large employers will not be required to offer minimum essential coverage to full-time employees and their dependents. (All the services listed in Sec. 112)

 

The takeaway is this, 217 Republican members of Congress decided that we can do without:
– Protection for those with pre-existing conditions.
– Medicaid program requirements to provide essential health services.
– Massive funds to preventative care.
– Health insurance for millions.

Release: require payment, session usage lookup, plan types

This article covers number of updates that we released this past weekend.

Require Payment

Users can now set a payment requirement when scheduling a session, so that participants cannot enter the session without first making the payment.

paynow

To do so requires a little bit of setup:

  1. Connect a Stripe account.
  2. Set up an Account Service.
  3. Schedule a new session (and set payment requirement).

 

Session Usage Lookup

You are no longer required to be an Account Administrator to look up your own session usage on your account, though Account Administrators can continue to look up session usage for all users: How to look up Session Usage?

 

Change in Plan Types

SecureVideo now only offers two plan types: a free trial, or a fully-featured account which includes the ability to create multiple users. This allows us to provide more consistent features across our customers. Plans now only differ by pricing, or the use of add-ons such as Virtual Clinic or session recording.

New users are also billed for differently: billing for users will now use average monthly hours and be pro-rated accordingly. (e.g., if User A is added for the first two weeks and then deleted, and User B is added for the last two weeks of the month, this averages only to 1 additional user for that month.)

For an overview of the account changes made, please see Zoom: How do I navigate my SecureVideo account?, or if you are using our VSee platform, VSee: How do I navigate my SecureVideo account?

Additional API Functionality

We have added or enhanced existing API commands to allow users to:

  • filter on account History by the User ID of the host, and/or email address of an attendee (see API – History)
  • filter on an account’s active sessions by the User ID of the host, and/or email address of an attendee (see API – Sessions)
  • retrieve information on recordings stored on the SecureVideo server (see API – Recordings)

What You Need in a HIPAA-Compliant Video Platform

Deciding on what to look for when starting a Telehealth solution may seem simple. All you need is video, right?

Wrong.

That’s why Skype, Facetime, and many other video solutions will never work.

High quality video is the most basic need in a video solution, but it’s definitely not the only one. It is as fundamental and obligatory as having a Business Associate Agreement for HIPAA compliance – and similarly, that’s not all you need.

24/7 Technical Support that’s based in the U.S.
Whether you provide in mental or physical health through online services you’re going to run into the need for technical support. As a provider you need to make sure you’re able to flawlessly connect with your patients, but also have a backup in case something goes wrong. The issue may be due to one’s internet, equipment, firewall, etc. but instead of fumbling around for a solution you need a trained technical staff to address and solve the issue for you.
Not many HIPAA-compliant vendors can or/ will offer these services to you, especially without a hiked up fee but SecureVideo will 24 hours a day, 7 days a week. With us you’ll get your questions answered in minutes by professionally trained, U.S. based staff that’s incredibly easy to reach.

Options for customization
Some want a system that’s plain and simple and that may be all you need, but you still don’t want to be limited to that. You want a telehealth platform that works for you now and has the ability to grow with your business to support any changes that occur. The two most common needs for customization are usage frequency and features.

So ask yourself this about usage frequency: Will the video platform you choose allow you to start slow and at a reasonable price? Or will they expect you to pay no less than $200 just to give you a Business Associate Agreement (no matter how many sessions you’re using). If they let you start slow and you need more sessions, do they offer you sensible price changes for the upgrade?

About features. You may not think you need the bells and whistles now, but one day you may and we’ll be ready for you. Here are all the complimentary features that come with any SecureVideo account: (but ask about our premium ones as well)

  • 24/7/365 U.S. Phone Support (mentioned earlier)
  • Group Calls (up to 50)
  • Branding
  • Encrypted Chat
  • Secure File Transfer
  • Recording (optional; locally stored)
  • Clinician Listing
  • Receive Patient Payment
  • Schedule on Behalf of Others
  • Scheduler-Only Role (no charge)
  • Virtual Waiting Room
  • Session Notes
  • E-Documents
  • Custom Links

 

For more specific customization needs (i.e. specialized workflows), contact us directly through [email protected]

Trumpcare | Where Does Telehealth Stand?

A lot can be said about the GOP’s plan to repeal the ACA, but what can we expect from these changes? And how does it affect Telehealth as we know it?

VocativImage from Vocativ.

Prior to election, Donald Trump had announced a 10-point plan to reform the VA. In his speech, he highlighted a need for more mental health professionals to ensure there would be no shortage of care for veterans. The end goal was for vets to have total access to mental healthcare and be covered both within and outside the VA.

Not only does he claim to support Mental Health, he has also stated the importance of modernizing how those needs are served. We’re talking Telehealth.

Taken directly from Donald Trump’s website addressing Veteran Affairs, he aims to:

“Modernize the VA. […] The Trump plan will make it happen by accelerating and expanding investments in state of the art technology to deliver best-in-class care quickly and effectively. All veterans should be able to conveniently schedule appointments, communicate with their doctors, and view accurate wait times with the push of a button.”

“Ensure our veterans get the care they need wherever and whenever they need it. No more long drives.”

“Support the whole veteran, not just their physical health care, but also by addressing their invisible wounds”

How Telehealth plays in:

In order to make good on these specific promises, the most practical and effective way is through the adoption and advancement of Telehealth and HIPAA compliant videoconferencing. Using the internet and a personal device (computer, laptop or phone) and the right videoconferencing system, veterans are able to view their provider’s availability online and choose a time without back and forth conversations. Once a time is chosen, the provider can accept and be connected in a virtual face-to-face visit. This is getting the care they need wherever and whenever, and this is the kind of modernized care we’re all looking for.

Telehealth stands to grow with any new changes the government makes regarding healthcare.

 

10 Companies That Lost Millions For These Avoidable HIPAA Violations

As Telehealth grows and becomes more relevant to healthcare, so too are the protections around it. Through Telehealth, medical providers are creating, storing, exchanging and deleting Electronic Protected Health Information (ePHI) all the time; but is this safe? Can video streams be tapped without their knowing? Is the information that’s stored online secure? Will PHI end up in the public view? HIPAA regulations have standards to prevent these, but are providers and their associates following them? Here’s what happened to 10 that didn’t.

(These 10 are not in any order and were chosen only to outline the various reasons and amounts for which one can be penalized)

new-york-presbyterian-hospital-cornell-medical-center

 

banner-1

 

 


1) $4.8 Million – New York-Presbyterian Hospital and Columbia University Medical Center
The largest HIPAA settlement at the time, however the OCR had been investigating large scale violations since before this incident in early 2014. The reason this case is so special is because it was a joint breach between NYP and CU by the actions of one CU physician. According to HHS’ report: “The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI.  Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” 6,800 people’s sensitive health information released to the internet; this is definitely cause for a hefty fine. After a full investigation sparked by this incident, OCR found these other violations:

  1. Failure to conduct an accurate and thorough risk assessment
  2. (As a result ->) Missing risk management and contingency plans
  3. No implemented policies and procedures for authorizing access to its databases

Print

 

 


2) $445,000 – Presence Health

A significantly smaller fine than the last but still not small, the U.S. Department of Health and Human Services has fined Presence Health for lack of a timely breach notification. (According to the HIPAA Breach Notification Rule, Covered Entities are to notify the affected individuals within 60 days of discovery.)

 

St_Josephs_Hospital_1385486

 

 

 

3) $2.14 Million – St. Joseph Health
A nonprofit yet large network, SJH was served a hefty fine along with a comprehensive corrective action plan. They were reported to have ePHI that was publicly accessible through internet search engines. Other violations include:

  1. Vulnerabilities to the PHI of 31,800 individuals
  2. Implementation of a new server without proper evaluation on environmental and operational changes
  3. While hiring a number of contractors to assess risk, as required by the HIPAA security rule, it was “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis”.

ummc_logo

 

 

 

4) $2.75 Million – University of Mississippi Medical Center
While aware of the vulnerabilities to its system since 2005, UMMC did nothing and an investigation was sprung when approximately 10,000 individuals ePHI was breached via a stolen laptop. It contained easy access to thousands of patient files. Other violations found include:

  1. Did not implement policies to prevent, detect, contain and correct security violations
  2. Lacked policies on physical safeguards (i.e: for workstations, restricting access to ePHI)
  3. Did not assign unique user information to track and identify identity in information systems
  4. Did not notify individuals of the breach

 

Header_DHSS

 

 

5) $1.7 Million – Alaska Department of Health and Social Services
Choosing this one to show that even a state health division must be careful following HIPAA regulations. There are no exceptions; if you are investigated by the OCR, you are not immune to penalty. In this incident, an unencrypted hard drive containing PHI was stolen from an employee’s car. This sparked an investigation which found violations of:

  1. No risk assessment
  2. Did not implement security measures
  3. Neglected to have security training

 

cbk

6) $4.3 Million – Cignet Health Center
OCR had investigated Cignet for refusing 41 patient requests for their medical records. A violation that resulted in a $1.3 Million fine. This wasn’t the only one Cignet committed. They were also in violation of refusing OCR’s request for records / refusing to cooperate overall. (Fined $3 million for this)

 

 

imgres

 

 

7) $650,000 – Catholic Health Care Services of the Archdiocese of Philadelphia
Due to the theft of an employee’s mobile device containing PHI of nursing home residents, CHCS was fined over half a million dollars. The company is a provider to six nursing facilities but it had neglected to cover these HIPAA rules:

  1. Encrypt any ePHI that is created, received, maintained, etc.
  2. Conduct an enterprise-wide risk analysis
  3. Have a contingency plan
  4. Train staff on security measures

 

raleigh-orthopaedic-new

 

 


8) $750,000 – Raleigh Orthopedic Clinic, P.A. of North Carolina
This hefty fine was simply the result of not having a Business Associate Agreement (BAA). This is a section of HIPAA that many are finding they cannot disregard. Raleigh Orthopedic had disclosed the information of over 17,000 patients to a potential partner without signing a BAA / without protecting their patients’ information from misuse and improper disclosure. While it may seem easy to overlook, its consequences are no light matter.

 

NMHClogo294

 

 

9) $1.55M – North Memorial Health Care of Minnesota
Just to underscore the importance of a BAA, here is another fine issued by the OCR. This fine was particularly expensive because they had released the information of almost 300,000 patients. In the end they had overlooked two major cornerstones of HIPAA rules: a. BAA b. Enterprise-wide risk assessment.

 

uwmed

 

 

10) 750,000 – University of Washington Medical
Because an employee opened up an email containing malicious malware, the ePHI of 90,000 individuals was compromised. In addition to this, the OCR fined them for not having procedures to prevent, detect, contain and correct such violations. With this relatively miniature fine (though not at all miniature on its own), they must now include a corrective plan with annual reports on their compliance efforts.


The Takeaway

The main reason to follow HIPAA regulations so closely is to protect our patients, clients and ourselves. Privacy and confidentiality in this day is increasingly cherished and we have to work to secure that. For those of you that need another reason, these penalty examples are for you. For those that are genuinely concerned, don’t worry; just take action. The theme in these incidents is repetitive and preventable:

  • Have a signed BAA with anyone handling your PHI
  • Guard your mobile devices and encrypt them
  • Implement security policies and procedures

Click here for more information on BAAs

Click here for summaries on the HIPAA Security Rule

 

Why More States Should Encourage Telemedicine in Schools

For some of the same reasons telemedicine is being welcomed into hospitals, prisons or private practices, we are finding that it’s also gaining popularity with schools. Moving past those general reasons why, here’s what makes telemedicine in schools particularly special:

resized_250499-telemedicine03_18-22228_t635Image from ArkansasOnline: Rural Arkansas schools to go telemedicine route

 

It keeps kids on campus and in classrooms!

Kids get scrapes, sniffles and sneezes as surely as the sun rises every day and while many schools have an onsite nurse, only some are permitted to independently administer medication. The difference in permission depends on licensure and state certification which Registered Nurses (RN) are given and Licensed Practical Nurses (LPNs) are not. This important detail factors into why Telemedicine in school matters.

(Quick difference between the two types of nurses)
RN: 2-4 year college degree and exam in the state they work. Allowed to perform various medical activities and make decisions about how and when to treat injuries or illnesses.
LPN: High school diploma, nursing program and exam for a license. Their actions must be supervised by an RN or doctor.

According to Deb Group that specializes in occupational skin care and hand hygiene, there are 164 million lost school days per year from students in K-12. Missing school puts students at a disadvantage. Each day that a student misses school means 7.5 hours of catch up in addition to the hours they already have. It’s burdensome and overwhelming, and we haven’t even considered that the day they missed was a test prep day.

So let’s consider the case of an asthmatic child enrolled in a school with LP nurses. The child is wheezing and gasping for air and seeks the nurse for help. The LPN recognizes this as an asthma attack and has access to asthma medication, however laws are preventing the LPN from administering them. The child at this point can be in desperate need with the remedy readily available, but only a doctor or RN is permitted to provide medication.

In this time sensitive situation the LPN is only authorized to call an ambulance and/or the legal guardian and wait. By the time they finally arrive, the condition may have worsened causing the student to lose the rest of the day and maybe another for recovery.

How having Telemedicine helps

If the school had implemented telemedicine, the LPN could have contacted an offsite doctor or RN to show them the child and ask about the appropriate steps to take. Seeing the child, the doctor or RN would then be able to make a diagnosis and authorize the LPN to act on their behalf (while they supervise) and treat the child in-need right then. Telemedicine is not just beneficial to helping kids with asthma. A similar scenario could be played out if it were a stomachache, headache, earache, fever, strep throat – you name it.

This is not to say that secure video conferencing can end all mid-day visits to the family doctor’s office. Instead this should be seen as a frontline solution that can help treat kids right away – at school, and back in classrooms so they don’t fall behind.

Here are the states that already authorize Medicaid reimbursement for telemedicine services in schools. Does Medicaid offer reimbursements for telemedicine in your state?sln_jan4_graph

The Telehealth Resource You Need

screen-shot-2016-12-27-at-2-49-53-pm

Image from Telehealth Resource Centers

If you’ve been looking for information on Telehealth (what it’s about, reimbursement details, legal information, implementation strategies, etc.) Telehealth Resource Centers can help. TRC is a great resource because it stays up to date and addresses several fundamental questions that arise with this new technology. Examples include:

  • “What is the recommended process for introducing Telemedicine at a remote site?”
  • “How should the local community be informed of available Telemedicine services?”
  • “How do I know if a pilot test has been successful?”
  • “What needs to be included in a protocol for a live, interactive session?”

And these are just a few of many questions that they provide solutions on. As you know, different states can have varying laws; TRC covers that too. To find your own Telehealth Resource Center check here.

They also go above and beyond by conducting free webinars and posting the slides / recordings in case you missed it. It is really an excellent resource on all things Telehealth.