Email fraud is a common tactic used by cyber criminals to hack into health care organizations and access patient data. Knowing how to recognize email fraud is important to reduce risk and possibly prevent a data breach.
This case involves a pain management specialist who was treating a patient for back pain. It illustrates how action or inaction on the part of the physician led to allegations of professional liability, and how risk management techniques may have either prevented the outcome or increased the the physician’s defensibility. The case has been modified to protect the privacy of the physician and the patient.
As Texas enters its long mosquito season, and many people travel to places where Zika is active, the Texas Department of State Health Services (DSHS) has created a website where both the public and healthcare workers can access the latest Zika news and information.
The website also offers posters, fact sheets, flyers, and graphics designed to be shared on social media for healthcare professionals to post in their offices or distribute to patients, clients, and the public.
As of June 10, there are 41 reported cases of the Zika virus in Texas. Of those, 40 were travelers who were infected abroad and diagnosed after they returned home; one of those cases was a pregnant woman.
The DSHS encourages healthcare workers to follow good infection control and biosafety practices, including universal precautions, as appropriate to prevent or minimize the risk of transmission of infectious agents such as Zika.
CASE CLOSED: OVERPRESCRIBING PAIN MEDICATION
TMLT introduces a new presentation format for our popular closed claim studies, featured in Case Closed. In addition to the Reporter and our e-newsletter, we offer this convenent and easily accessible format for you to either view or download and share! Look forward to more Case Closed presentations coming soon.
TMLT offers four steps to help you prepare.
By Cathy Bryant, RN, CHPC, Senior Compliance and Risk Management Representative
In the last few days, TMLT has received a number of reports from policyholders who have received emails from the Department of Health and Human Services’ Office for Civil Rights (OCR) asking them to verify their contact information. In a recent national survey, approximately 60% of covered entities that answered “yes” to their contact information being correct then received a second email with the pre-screening questionnaire.
This has left many wondering if verifying your contact information to the OCR results in an audit. Not necessarily, but it will put you into the pool for a possible audit in 2016.
In a recent interview, Deven McGraw of the OCR stated that emails continue to go out to obtain an appropriate pool of covered entities to conduct the next round of audits.1 From this pool, 200-250 audits will be conducted, beginning first with covered entities and then progressing to business associates before the end of 2016.
McGraw urges covered entities to be prepared. If selected for a desk audit, a covered entity will have ten business days to respond with the documents requested. While a list detailing the requested documents for the desk audits is not currently available, two documents to be included in the audit are the organization’s comprehensive, enterprise wide security risk assessment and an updated Individuals’ Right under HIPAA to Access their Health Information policy.
A comprehensive, enterprise wide security risk assessment must assess your EHR and any area where protected health information resides in your office. Often connected devices are overlooked and can pose a significant vulnerability. McGraw said, “almost everything flows out of the Risk Analysis (aka Risk Assessment), so if you are leaving big pieces of your enterprise out of it, chances are you are going to be non-compliant.”
Are you ready? Here are four steps to help you prepare for a possible audit:
- Take TMLT’s RandomAudit_quiz_TMLT. If you cannot answer YES to these ten basic questions you may not be ready.
- Review your most recent risk assessment. Is it comprehensive? Does it address vulnerabilities across your organization? What have you done with the vulnerabilities identified in your risk management plan to mitigate the risk?
- Review your Individuals’ Right under HIPAA to Access their Health Information Policy. Is it consistent with recently updated guidance from the OCR, which includes information on charges for electronic copies of PHI? 2, 3, 4
- Review the OCR Audit Protocol.5 Use the protocol as a self-assessment. The 180-item review of HIPAA Privacy, Security and Breach Notification can be overwhelming. TMLT is available to provide consulting services to assist you with an assessment.6
Cathy Bryant is certified in Health Care Privacy Compliance and part of TMLT’s Product Development and Consulting Services team. Cathy can be reached at firstname.lastname@example.org.
- OCR’s Deven McGraw On HIPAA Audit Preparation. Healthcare Info Security. Available at , http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178. Accessed May 23, 2016
- Individuals’ Right under HIPAA to Access their Health Information. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/ . Accessed May 26, 2016.
- Understanding Individuals’ Right under HIPAA to Access their Health Information. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html . Accessed May 26, 2016.
- New HIPAA guidance reiterates patients’ right to access health information and clarifies appropriate fees for copies. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/blog/2016/02/25/new-hipaa-guidance-accessing-health-information-fees-copies.html. Accessed May 26, 2016.
- Audit Protocol – Updated April 2016. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/. Accessed May 26, 2016.
- TMLT Cyber Consulting Services. Texas Medical Liability Trust. Available at http://www.tmlt.org/tmlt/products-services/cyber-consulting-services.html. Accessed May 26, 2016.