getting your practice into hipaa compliance · no standardized compliance plan for a medical...
TRANSCRIPT
American College of Medical Practice Executives Professional Paper
EXPLORATORY
This paper is being submitted in partial fulfillment of the requirements of Fellowship in the American College of Medical Practice Executives.
Anna McGuigan Morse FACMPE
August 25th, 2018
Getting Your Practice into HIPAA Compliance
1
INTRODUCTION
“Integrity is doing the right thing, even if nobody is watching”
- Jim Stovall
Understanding the Health Insurance Portability and Accountability
Act (HIPAA) and how HIPAA laws are incorporated into a medical practice
is essential. “Ignorantia legis neminem excusat is a legal principal holding
that a person who is unaware of a law may not escape liability for violating
the law merely because one was unaware of its content” (Campbell Black).
HIPAA was created to develop rules that protect the privacy and
security of health care information. HIPAA comprises of five major
categories: The Privacy Rule, the Security Rule, the Transaction Rule, the
Identifiers Rule, the Enforcement Rule, and the Health Information
Technology for Economic and Clinical Health (HITECH) Act. The laws of
HIPAA are essential for the efficient management of a medical practice.
PURPOSE
This paper’s purpose is to inform managers about the importance of
HIPAA in a medical practice. It is also to encourage practices to have a
2
compliance plan in place to ensure that the practices abide by HIPAA laws.
This exploratory paper focuses primarily on the Privacy and Security Rule
along with the importance of implementing the policies and procedures into
a medical practice.
Research methodologies utilized will include an extensive literature
search of reviewed journal articles, discussions with medical management,
peer-reviewed articles from the Medical Group Management Association
(MGMA) website and Connection Magazine and other online articles.
BACKGROUND
National standards to protect individuals’ medical records and other
health information are found in the Privacy Rule. (45 CFR Parts 160 and
Part 164). This rule establishes patients’ rights. The most noted form
needed in a practice is the Notice of Privacy Practices. This form explains
how a practice may use and disclose protected health information (PHI).
Also practices will likely prepare pre-printed forms for patient record access,
restrictions, disclosures, use, and privacy complaints.
The electronic protected health information (ePHI) standards and
procedures are found in the Security Rule. The Rule covers administrative,
3
technical and physical safeguards. It includes hardware, software,
transmission security, disaster backup, recovery plan, and incident response.
HIPAA was initially created to develop rules protecting the privacy
and security of health care information. Millions of dollars in fines are
collected annually for failure to comply with HIPAA laws and, in some
cases, criminal charges resulting in jail time can be brought against medical
practioners.1 With the knowledge of HIPAA regulations, violations can be
prevented by implementing policies and procedures to comply with HIPAA
regulations.
As technology develops at a rapid pace, the concern for security
increased rapidly. Providers routinely access clinical data from outside their
practice and many practices have incorporated e-prescribing into their daily
operations. In addition, providers have exchanged paper charts for
electronic medical records (EMR).
As more practices enter the technological age of health care, HIPAA
guidelines have expanded to reflect these changes. Any practice that
transmits any health information electronically is considered to be a covered
entity and therefore must comply with the rules and regulations of HIPAA—
no matter the size of the practice.
4
Consequently, having a formal written compliance program is now
Federal law. (Patient Protection and Affordable Care Act 2010). A medical
practice cannot overlook or be lax about HIPAA, nor can the medial practice
be inconsistent with their enforcement.
HISTORY
Before HIPAA, originally known as the Kennedy-Kassenbaum bill,
rules and regulations lacked uniformity, varied by state and brought
confusion because there were no standards of authority for enforcement of
violations.2 Now HIPAA is a succession of federal laws that all practices
must adopt. Practices must focus on implementing good procedures within a
practice to protect the availability and integrity of electronic protected health
information and patient privacy.
Prior to HIPAA many providers were unsure about how the rules and
regulations applied to them or how compliance plans would function in their
practices. Passwords for access to patient data were minimally or not
protected at all since many medical employees had a habit of forgetting
passwords and simply posted them on their computers. Patient information
was left on desks and even in an examining room with inconsistent
protection of the patient’s personal and medical information. Patient
5
information was released to a consultant specialist or an organization
without having the patient sign a medical release form granting permission
to share their medical information. Training was limited with few reminders
not to discuss patient information in public places.
As health care progressed with modern technology, e.g. electronic
medical records, the need for laws about privacy and security became
apparent. Congress recognized that with the increased use of electronic
technology in the medical community there came the increased risk of
abuse. This resulted in the need to establish security and privacy parameters.
Although HIPAA was passed in 1996, it continues to be reviewed and
updated not only by Congress but also by the Secretary of the United States
Department of Health and Human Services (HHS). HIPAA encompassed
the changes in society and the evolution of new technologies that are
replacing paper medical records with electronic medical records systems.
PRESENT DAY HIPAA
The Privacy Rule
HIPAA has developed rules such as the Privacy Rule that gives
patients the right to oversee their health information, along with sets of
limitations on who can look at and receive their health information. The
6
Privacy Rule applies to all forms of individual protected health information,
whether electronic, written or oral. It protects “individually identifiable
health information.” (45 CFR 160.103) These national standards are meant
to protect individuals’ medical record and other personal health identifiable
information. This set of rules apply to health plans, health care
organizations, health care providers and those working with covered entities
such as healthcare clearing houses and business associates.
Privacy rules should not interfere with patient care and the operations
of the practice. Consequently, patient information can be disclosed without
authorizations for treatment, payment, and operations aka TPO. Information
that is disclosed should be kept at “minimum necessary” to accomplish the
task and treatment.
When used for educational purposes with healthcare students,
disclosure should be given consideration so that the data remains
de-identified. There are instances where the disclosure of PHI does not
require patient authorizations. These instances include: physicians sharing
information with specialty consultants, child abuse, violent injuries, and in
legal trials when ordered by the court.3
7
The standards are set by the federal law. However, there are
circumstances where state privacy laws hinder a practice’s ability to follow
both federal and state laws. In these circumstances, the Privacy Rule is
“preempted by the federal requirements, which means that the federal
requirements will apply” (HHS Office of the Secretary, Office for Civil
Rights, and OCR. “Summary”).
The Security Rule
The Security Rule requires security for health information which the
practice creates, receives, maintains or transmits in electronic form (HHS
Office of the Secretary, Office for Civil Rights, and OCR. “The Security
Rule.”). The practice must protect against threats to the security or integrity
of health information and guard the access to information from those who
are not permitted or required to access such information.
Practices may find the Security Rule difficult to handle solely in-
house, unless they have strong in-house technical support and legal advisors.
Simply stated: The Security Rule has three main groupings: Administrative,
Physical, and Technical. Examples might include: for administrative,
assigning employee access rights; the physical group could cover
workstations; and technical, automatic computer logoffs.
8
All practices need a detailed breakdown of their operations to develop
a risk assessment, which would be a detailed analysis of the practice.
Perform a walk-through of the practice and for potential risks and breaches.
A disaster contingency plan is needed. What would the practice do in the
case of a hurricane and subsequent power loss? What is the plan for backing
up and the storage of data? Have a plan for re-using recycling hardware
equipment. Include encryption and decryption for electronic transmissions.4
DEVELOPING A COMPLIANCE PLAN
Medical practices are required to develop and implement formal
compliance policies that comply with their state and federal laws. There is
no standardized compliance plan for a medical practice due to the vast array
of medical practices providing patient care, the available practice resource
and the various types of medical care. No practice is exempt from being in
compliance with HIPAA regulations nor can they blame their non-
compliance on lack of training or understanding. The formal compliance
plan protects patient care services ensure billing for medical services are
based on documented services performed. It requires the constant auditing of
the practice’s operations, adherence to government regulations, and training
of employees, providers, and volunteers.
9
The compliance plan should be followed by the entire workforce
within the practice with no exclusions or special exemptions. If an
individual is on the practice’s payroll, a volunteer, trainee, member of the
Board of Directors, a student in the practice, business associate, or
contractor, then such individual must to adhere to the practice’s compliance
program. Unless the employee has direct job-related reasons to review the
medical record, the employee has no reason to open a medical record.
By having a formal compliance plan the practice is communicating to
their staff and the medical community that they are meeting their legal
obligations and are committed to conduct their practice in an ethical manner
with proper employee conduct. For practices large and small, this is a huge
challenge as health care compliance is layered with both state and federal
laws that change on a regular basis.
Many practices have a point person who is responsible for overseeing
HIPAA compliance in the practice. Some practices may breakdown the
roles with one overseeing patient privacy (Privacy Rule) and the other for
security (The Security Rule).
BUSINESS ASSOCIATES AGREEMENTS (BAA)
10
Another section of the compliance plan is to include Business
Associate Agreements (BAA). The majority of medical practices use some
vendors or contractors to assist in daily operations of the practice. Under
HIPAA, persons outside the practice who use or have access to the practice’s
patients’ PHI or (ePHI) in performing services i.e. transcription, patient
billing, cloud storage companies, attorneys, and computer management
companies are classified as Business Associates.
A discussion and on-going dialogue should be held with the business
company examining parameters for disclosing PHI both in paper and
electronic format. If business associates use subcontractors, they too must
agree to the same standards as business associates.
Termination of the business associate’s contract includes termination
of provisions and mandatory surrender and/or destruction of PHI. “OIG has
the authority to exclude individuals and entities from federally funded health
care programs pursuant to section 1128 of the Social Security Act (Act) [sic]
(and from Medicare and State health care programs under section 1156 of
the Act) and maintain a list of current excluded individuals and entities
called The List of Excluded Individuals/Entities (LEIE). Anyone who hires
an individual or entity on the LEIE may be subject to civil monetary
penalties” (oig.hhs.gov/exclusions/index.asp)
11
The list of business associates should be documented in the
compliance plan; LEIE should be reviewed monthly by the Compliance
Officer. A copy of the signed agreement, which has been reviewed and
indicates what the Business Associate will be do, should be included in the
compliance plan. Best practice would be to have legal counsel review the
agreement before it is signed.
If the practice does not have a business associate agreement template,
the practice can obtain a generic agreement from legal counsel. Templates
are also available on many medical management and medical association
websites. In addition, there are HIPAA compliance companies on the
internet that do offer BAA. No matter where a business associate agreement
is maintained it is still required by HIPAA Privacy and Security Rules to
disclose PHI to the BAA. “OCR specifically reminded covered entities and
business associates in October 2017 that using a cloud service provider to
maintain PHI without entering into a BAA violates HIPAA rules and that
cloud service arrangements need to be accounted for in risk analysis and risk
management.” (Driscoll, Hindmond, Simmons, 2018)
BREACHES AND VIOLATIONS
12
Failure to follow HIPAA laws or being lax about HIPAA compliance
could result in violations and penalties in the thousands to millions of dollars
in fines, including loss of license, loss of confidence from your patients, and
a tarnished reputation in the medical community resulting in decreased
referrals or even jail time.
The practice no longer needs to prove if the data has been
compromised just that the data was sent to the wrong person, a malware
attack occurred, or there was loss/theft of unencrypted devices. The breaches
indicate a HIPAA violation occurred, unless the practice can prove
otherwise.
Examples of Reportable Breaches and Documentation
If a patient’s information is left in an employee’s car, and the car is
stolen and the employee fails to report this loss of information to their
superiors, this would constitute a breach.
On a larger scale another HIPAA breach resulted in severe fines when
more than 4 million medical records on backup tapes were jeopardized. The
tapes were kept on four different laptops. These laptops were reportedly
stolen from the employee’s car. As a result of the records leaving the
13
employee’s possession, a class action lawsuit was filed for the amount of
$4.9 billion, $1,000 for each person affected (Vogel),
An isolated incident is a violation of protected health information that
does not follow HIPAA’s policies and procedures. For example if a patient’s
medical health information was faxed and the recipient of the fax was not
the intended recipient; the recipient should then follow the procedure that is
enclosed on the disclaimer located on the fax cover sheet.
The practice would document the incident in their established risk
assessment. The documentation should include the process, the response
procedure, including a timeframe of when the violation occurred (start/end),
how and when it was discovered, the number of individuals affected, the
type of breach (loss, theft, hacking, unauthorized access) and a review on
why the incorrect fax number was used i.e. preprogrammed incorrectly into
the fax machine, physically misdialed, number is simply incorrect or the
ownership of the number has been changed. The final log in the risk
assessment would note that the correct fax number was adjusted and the staff
was informed of the error and retrained on the proper procedures to follow in
transmitting patient information.
“According to the National Health Care Anti-Fraud Association
(NHCAA), indicates healthcare [sic] fraud financial losses are in the tens of
14
billions of dollars each year. In 2013, the US HHS and the Department of
Justice received more than $4.3 billion in healthcare [sic] fraud and abuse”
(Zabel, 2016).
REPORTING BREACHES AND VIOLATIONS
A covered entity must notify affected individuals, and the Secretary if
a breach of unsecured protected health information had occur, and, in certain
circumstances, to the media. The media would be advised if the breach
affected 500 or more residents of a State or an area plus post a notice in the
well-known media outlets serving that State or area. The notifications are
submitted to the Secretary using the specified Web portal (45 C.F.R. §
164.408).
The number of affected individuals in a breach is noteworthy as the
notification timeline will vary based on the number. “Notification of
affected individuals greater than 500 to the HHS and in some cases the
media for a breach of unsecured PHI; no later than 60 days following the
discovery of a breach; less than 500 affected individuals submit to HHS
annually for a HIPAA breach” (Centers for Medicare and Medicaid
Services).
15
The affected individuals (greater than 500) must be informed by first-
class mail or by e-mail if the individual has agreed to receive such notices
electronically. (HHS Office of the Secretary, Office for Civil Rights, and
OCR. “Breach”).
Notification letters to affected individuals should include a brief
description of the occurrence, date of the breach, description of the type of
unsecured PHI that was involved such as demographics, social security
number, and the type of breach for example clinical or billing information.
Also, include the process that the practice will use to avoid future incidents.
The notification must include Compliance Officer contact information for
any questions about the breach that the recipient may wish to ask. The letter
would also recommend notifying credit card companies, and credit card
bureaus.
If there is insufficient or dated contact information for less than 10
affected individuals, then a written notice or telephone notification to the
next kin can be generated; greater than 10 affected individuals would include
a notice posted on the home page of the practice’s website, broadcast media
and a notice in print where the affected individuals live for a 90-day period
(HHS Office of the Secretary, Office for Civil Rights, and OCR. “Breach”).
16
A toll-free phone number would be included for a 90 day period for
any call-in questions about the breach and also for individuals inquiring if
they were part of the breach.
As previously mentioned, the number of individuals involved in the
breach determines the timeline of reporting to the Secretary. If more than
500 individuals are affected, reporting is required 60 days after awareness.
If fewer than 500, individuals are affected, reporting can be submitted
annually via the Web portal.
Prompt notification is extremely important. Delay of a HIPAA
Breach notification is a violation of HIPAA. “Office for Civil Right (OCR)
pursued a case against Presence Health for unnecessarily delaying the
issuance of a breach notification letters. Presence Health become aware of
the breach on October 22, 2013, yet OCR was notified only on January 31,
2014. Presence Health had to pay a settlement of $475,000” (OCR).
If the breach involves Center for Medicare and Medicaid Services
(CMS) beneficiary’s information the Medicare Administrative Contractor
(MAC) might also be notified.5 The practice would check with their legal
counsel to see who would be needed to be contacted. A CMS breach could
involve someone other than Medicare beneficiaries using the beneficiary’s
Medicare card to obtain medical services e.g. medical identify theft.
17
Another example could also include the Medicare beneficiary’s PHI being
included in back-up tapes that were brought home by a staff member, left in
the car and then the car was stolen.
Violations could occur in a medical practice of any size. The
difference is usually the number of affected individuals and the scope of the
violation. Depending on the size of the breach, notification might also
include the State Attorney General depending on State laws. The
Compliance Officer would meet with their legal counsel to review who
should be notified if needed.
Violations can come from in-house and outside sources. Outside
sources put a practice at risk, causing the practice to be the victim. For
example, malware, viruses, worms, spyware, Trojan horses, ransom-ware,
malicious software, and hacking can access a computer remotely without the
knowledge or consent of the user.6 In some cases; practices have been given
the option to pay a ransom.
COMPLIANCE OFFICER (S)
Hiring and Credentials
Depending on the size and resources of the practice e.g. small to
18
mid-size, the Compliance Officer’s responsibilities can be handled in-house,
be contracted out to a health care compliance attorney or a health care
consultant. The officer must be familiar with HIPAA health care.
Preferably, the officer will hold certification such as a Certified Professional
Compliance Officer (CPCO).7
A practice should have at least one individual responsible for HIPAA
regulations. The role can be handled by one compliance officer who would
oversee all compliance and perform an initial risk assessment with annual
and periodic risk assessments. However, the responsibilities are frequently
divided into two roles: Compliance Privacy Officer and Compliance
Security Officer reporting to and under the direction of the senior partner or
Chief Executive Officer (CEO).
The Compliance Privacy Officer would oversee who has the right to
view the patient’s records and patient care. The officer would oversee
streamlining calls involving requests for patient information, ensure that the
practice receives proper authorization releases before sharing data; train staff
about patient information; and verify that the practice follows the Privacy
Rule in order to be compliant both in and outside the walls of the practice.
The Officer would also introduce and oversee various types of audits for
managing HIPAA operations within the practice. These audits would include
19
evaluating the effectiveness of procedures, internal controls, accuracy, and
timely documentation and billing of patient services.
The Security Officer would focus on the safeguards of the ePHI to
ensure that information has controls in place so that there is no tempering,
viewing the record without authorization or stolen information. The officer
is responsible for the integrity of all software and hardware that contains
PHI. The main responsibilities include coordination, implementation and
testing of security measures for the practice’s computer network.
These responsibilities would include security measures and technical
solutions such as an unique user identification system to track employee
activities; data encryption, which is used when sending patient information;
firewalls, hardware devices and software applications; remote data wipe
programs; virus scanners; message authentication; digital signatures; privacy
screen protectors; usage of a Virtual Private Network (VPN), which creates
a temporary encrypted connection during time of use for remote access to
use data when working from a remote site; an emergency access procedure
to document instructions for access during an emergency situation (electrical
fire, flood, fire, explosion); a back-up procedure and schedule to protect the
practice’s data for all operations within the practice including a back-up in
the cloud; if applicable.
20
The decision to have one compliance officer or to divide the position
into two is usually based on the size and need of the practice. Either way, as
long as HIPAA regulations are being overseen by an individual who has the
knowledge and understands the consequences on noncompliance.
In a small office, a “seasoned” in-house staff member could be the
compliance officer in addition to their primary role, often as the office
manager of the practice. A provider may also accept the role of compliance
officer. In a large organization, a high ranking individual from within the
organization could be appointed the sole responsibility of being the
compliance officer.
Another option is to conduct an outside search to hire an individual
whose skills would include HIPAA health care compliance knowledge, as
well as good people-skills, since training and educating staff at all levels will
be at the top of the job duties.
All compliance officers need a solid knowledge of computers as
healthcare is moving towards mobiles devices, electronic medical records,
cloud-based electronic health record and cloud-base storage. The officers
would also be required to promote a culture of compliance within the
practice and act as a role model for the staff to follow. The compliance
officer must obtain a commitment from senior management to have a
21
successful compliant plan. Developing a Compliance Committee would also
be done by the compliance officer. The committee members would tailor
the plan based on the size of the practice, as no one size fits all.
A Committee
The Compliance Officer, as the Committee Chair, will promote a
culture of compliance by establishing a compliance committee. Based on
the size of the practice, committee members could vary and include
members such as senior leadership, operation team manager, a member of
the legal team, human resource manager, clinical manager, patient revenue
manager, and a member of the technical unit to brainstorm the elements
needed for an effective compliance program and to determine and evaluate
the risks of noncompliance.
The compliance committee would also approve policies for the
compliance plan developed by the compliance officer, as needed; revise
existing policies to stay current on related regulations. Periodic scheduled
discussions with committee members would include identifying training
tools necessary to educate and motivate the staff about compliance.
Staff Training
22
Once security and privacy policies are in place, the staff should be
trained in proper HIPAA procedure during orientation. Some practices
allocate discussion questions and answer time during the employee’s annual
review.
To keep the staff up-to-date on HIPAA compliance, the compliance
officer can initiate a schedule for HIPAA compliance educational workshops
and staff meetings. The practice could include privacy and security topics in
newsletters and provide quizzes or simulations about compliance in the
practice.
All employees must know and understand what constitutes as PHI.
No one should start work without HIPAA training. “Include the key
elements of a HIPAA privacy Rule to include who is covered, what
information is protected, and how Protected Information (PHI) can be used
and disclosed” (HHS Office of the Secretary, Office for Civil Rights, and
OCR “Summary”).
PHI includes the patient’s demographic information, social security
number, full-face photos, a medical record number, and documentation of
any kind pertaining to the patient’s care i.e. clinical, billing, correspondence,
labs, radiology, prescriptions, and telephone intake messages.
23
Training Manual
The compliance training manual should include the key elements of
HIPAA Privacy Rule “to include who is a covered, what information is
protected, and how Protected Health Information (PHI) can be used and
disclosed” (HHS Office of the Secretary, Office for Civil Rights, and OCR
“Summary”). The manual should contain what the staff needs to do to keep
PHI secure as it relates to their position in the practice.
The main focus of the manual is to provide the staff with the steps
needed for proper protection of individual’s health information, both on
paper and electronically. It should include information regarding internal
controls, to ensure that information is handled securely and protected by the
staff. When developing a HIPAA manual many specialty medical and
surgical societies have examples of HIPAA manuals for that specific field to
use as a reference. State medical societies will have resources to assist
practices in developing HIPAA manuals and what is needed to be in
compliance with HIPAA regulations. The practice’s mission statement
would be included in the introduction of the HIPAA manual to set out the
blueprint of the practice’s compliance plan.
For example, employees are advised to use a strong password that
includes letters, both uppercase and lowercase, as well as numbers and
24
symbols. Passwords should never include identifying information of the
user. It should be noted that the officer will keep employee’s name and their
password, which would be changed periodically throughout the year, with
prior notice and a timeframe when the password would need to be change.
The manual should include the importance and use of locked shredding
containers to dispose of paper PHI.
A section of the manual will include on reporting an incident timely to
their manager or to the compliance officer. HIPAA incidents can be
reported in person, or through a nameless reporting process on a 24/7
anonymous hotline handled by a third-party vendor without punishment.
Many potential violations can be stopped from further escalating into a
HIPAA violation or fraud and abuse incident by timely reporting from the
staff.
The manual should also include what is done when there is improper
use of PHI and non-complaint behavior. For example, the range of action
could include retraining, counseling, disciplinary action e.g. verbal, written
up to and including immediate termination of employment. Civil or criminal
penalties could also occur.
It should be noted that senior management recognizes that
enforcement of HIPAA compliance is essential in a practice. No employee
25
is exempted or excused for not complying with the practice’s compliance
manual. Those staff member who fail to be compliant will face
consequences for their actions as such behavior is not tolerated in the
practice.
HIPAA Resources
Besides in-house HIPAA training materials, there are additional
resources for HIPAA training that me be obtained from the Office for Civil
Rights (OCR), Medical Group Management Association (MGMA), State
Attorney General, Health Information Management Association (HIMA),
Centers for Medicare and Medicaid Services (CMS), Office of the Inspector
General (OIG), Office of National Coordinator for Health Information
Technology (ONC), and the American Medical Association.
SUMMARY
HIPAA compliance starts with awareness and understanding. With
the understanding of the various components of the law and their
importance, violations can be prevented by developing a compliance plan
sooner rather than later. HIPAA is frequently modified to reflect changes in
modern technology. The federal laws require all practices to be in HIPAA
compliance, which includes all ongoing adherences to HIPAA. If State laws
26
conflict with the federal standards making it impossible to accomplish both,
the federal law preempts.
Most violations can be avoided by implementing policies and
procedures to comply with HIPAA regulations. Practices should have a
training program and a training manual, to reflect the policies and
procedures that cover privacy, access, security, accountability and reporting
breaches.
Practices must have a compliance officer – one who is knowledgeable
with the law. If a violation or breach does occur, investigation, tracking, and
timely reporting of the events is the responsibility of the HIPAA compliance
officer. Staff training and education on HIPAA by the compliance officer is
critical to have in today’s every-changing climate. At the staff training
sessions, it should be highlighted to never download anything from an email
address that the employee is not familiar with and report the incident to their
manager, IT or the compliance officer, in a timely manner.
As medical technology moves at a fast pace, the protection of medical
and personal information from unauthorized access continues to be a major
security risk. A practice must be diligent and include in their budget the
proper allocation of funds for its security, Protection against unauthorized
access such as ransomware attacks or computer viruses could not only cause
27
a grave concern but could also be very costly and disrupt not only the
operations of the practice, but the care of the patients.
The medical practice can achieve the goal of being in compliance by
developing and keeping their compliance plan current. The providers should
work diligently to meet this goal in a reasonable manner and continue to
deliver the best patient care to their patients.
28
Notes
1. Compliancy Group “HIPAA Violation & Breach Fines/List of HIPAA Violations” http://compliancy-group.com/hipaa-fines-directory-year/
2. Solove, Daniel J, “HIPAA Turns 10: Analyzing the Past, Present, and Future Impact” –Journal of AHIMA 84, No. 4 (April 2013): 22-28.
3. Richards, Edward, “When Can PHI Be Released without Authorization?” – The LSU Medical and Public Health Law Site, April 19, 2009
4. Federal Register, 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule
5. “AB Medicare Administrative Contractor (MAC)-By State” www.cms.gov (Reviewed by IAC-2/2017)
6. Study.com “What is Malware?-Definition, Examples, & Types” http://study.com/academy/lesson/what-is=malware-definition-examples-types.html
7. AAPC. “Certified Professional Compliance Officer - CPCO™.” AAPC - Advancing the Business of Healthcare, AAPC Blog, www.aapc.com/certification/cpco.aspx.
29
References
Campbell Black, Henry. “What Is IGNORANTIA LEGIS NON
EXCUSAT? Definition of IGNORANTIA LEGIS NON EXCUSAT
(Black's Law Dictionary).” The Law Dictionary, Black's Law
Dictionary, 28 Mar. 2013, thelawdictionary.org/ignorantia-legis-non-
excusat/.
Centers for Medicare and Medicaid Services. “HIPAA Basics for Providers:
Privacy, Security, and Breach Notification Rules.” CMS.gov,
Department of Health and Human Services, Aug. 2016,
www.cms.gov/Outreach-and-Education/Medicare-Learning-Network-
MLN/MLNProducts/Downloads/HIPAAPrivacyandSecurity.pdf.
Driscoll A, Hindmand JD, R, Simmons, H (2018) “HIPAA wake-up call”.
MGMA Connection, 18(7), 29-31.
HHS Office of the Secretary, Office for Civil Rights, and OCR. “Breach
Notification Rule.” HHS.gov, HHS.gov, 26 July 2013,
www.hhs.gov/hipaa/for-professionals/breach-notification/index.html.
HHS Office of the Secretary, Office for Civil Rights, and OCR. “Privacy.”
30
HHS.gov, HHS.gov, 16 Apr. 2015, www.hhs.gov/hipaa/for-
professionals/privacy/index.html.
HHS Office of the Secretary,Office for Civil Rights, and OCR. “The
Security Rule.” HHS.gov, HHS.gov, 12 May 2017,
www.hhs.gov/hipaa/for-professionals/security/index.html.
HHS Office of the Secretary, Office for Civil Rights, and OCR. “Summary
of the HIPAA Privacy Rule.” HHS.gov, HHS.gov, 26 July 2013,
https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html;
OCR. “First HIPAA Enforcement Action for Lack of Timely Breach
Notification Settles for $475,000.” EveryCRSReport.com,
Congressional Research Service, 9 Jan. 2017, wayback.archive-
it.org/3926/20170127111957/https://www.hhs.gov/about/news/2017/0
1/09/first-hipaa-enforcement-action-lack-timely-breach-notification-
settles-475000.html.
Solove, Daniel. “BoK.” HIM Body of Knowledge, Journal of AHIMA, Apr.
2013, library.ahima.org/doc?oid.
Vogel, David. “Top 10 HIPAA Data Breaches of 2013.” Datapipe Blog,
31
Datapipe Blog, 7 Jan. 2014, www.datapipe.com/blog/2014/01/07/top-
hipaa-data-breaches-2013/.
Zabel, Laurie. “7 Elements for an Effective Health care Compliance
Program.” Physicians Practice, Physicians Practice, 6 July 2016,
www.physicianspractice.com/compliance/7-elements-effective-health
care-compliance-program