How healthy is your organization's HIPAA compliance?

The American Public Health Association annual conference’s thematic focus on preventing violence provided an illustration of the extent of the overwhelming demands on state public health agencies right now. Not only do you need to face the daily challenges of responding to the COVID-19 pandemic, you also need to address ongoing, complex issues like violence prevention.

The sheer breadth of sessions available at APHA shows the broad scope of public health’s reach and the need for multi-level, multi-sector interventions, all with a shrinking public health workforce. The conference’s sessions painted clear pictures of the critical public health issues our country currently faces, but did not showcase many solutions, perhaps leaving state health agency leaders wondering how to tackle these taxing demands coming from every direction with no end in sight.

BerryDunn has a suggestion: practice organizational self-care! It might seem antithetical to focus maxed-out resources on strengthening systems and infrastructure right now, but state public health agencies have little choice. You have to be healthy yourself in order to effectively protect the public’s health. Organizational health is driven by high-functioning systems, from disease surveillance and case investigation to performance management, and quality improvement to data-informed decision-making.  

State health agencies can use COVID-19 funding to support organizational self-care, prioritizing three areas: workforce, technology, and processes. Leveraging this funding to build organizational capacity can increase human resources, replace legacy data systems, and purchase equipment and supplies. 

1. Funding new positions with COVID sources can create upward paths for existing staff as well as expanding the workforce. 
2. Assessing the current functioning of public health data systems identifies and clarifies gaps that can be addressed by adopting new technology platforms, which can also be done with COVID funding.
3. Examining the processes used for major functions like surveillance or case investigation can eliminate unproductive steps and introduce efficiencies. 

So what now? Where to start? BerryDunn brings expertise in process analysis and redesign, an accreditation readiness tool, and an approach to data systems planning and procurement―all of which are paths forward toward organizational self-care. 

1. Process analysis and redesign can be applied to data systems or other areas of focus to prioritize incremental changes. Conduct process redesign on a broad or narrow scale to improve efficiency and effectiveness of your projects. 

2. Accreditation readiness provides a lens to examine state health agency operations against best practices to focus development in areas with the most significant gaps. Evaluate gaps in your agency’s readiness for Public Health Accreditation Board (PHAB) review and track every piece of documentation needed to meet PHAB standards.
3. Data system planning and procurement assistance incorporates process analysis to assess your current system functioning, define your desired future state, and address the gaps, and then find, source, and implement faster, more effective systems. 

Pursuing any of these three paths allows state health agency leaders to engage in organizational self-care in a realistic, productive manner so that the agency can meet the seemingly unceasing demands for public health action now and into the future.

Truly effective preventive health interventions require starting early, as evidenced by the large body of research and the growing federal focus on the role of Medicaid in addressing Social Determinants of Health (SDoH) and Adverse Childhood Experiences (ACEs).

Focusing on early identification of SDoH and ACEs, CMS recently announced its Integrated Care for Kids (InCK) model and will release the related Notice of Funding Opportunity this fall.

CMS describes InCK as a child-centered approach that uses community-based service delivery and alternative payment models (APMs) to improve and expand early identification, prevention, and treatment of priority health concerns, including behavioral health issues. The model’s goals are to improve child health, reduce avoidable inpatient stays and out-of-home placement, and create sustainable APMs. Such APMs would align payment with care quality and support provider/payer accountability for improved child health outcomes by using care coordination, case management, and mobile crisis response and stabilization services.

State Medicaid agencies have many things to consider when evaluating this funding opportunity. Building on current efforts and innovations, building or leveraging strong partnerships with community organizations, incentivizing evidence-based interventions, and creating risk stratification of the target population are critical parts of the InCK model. Here are three additional areas to consider:

1. Data. States will need information for early identification of children in the target population. State agencies?like housing, justice, child welfare, education, and public health have this information?and external organizations—such as childcare, faith-based, and recreation groups—are also good sources of early identification. It is immensely complicated to access data from these disparate sources. State Medicaid agencies will be required to support local implementation by providing population-level data for the targeted geographic service area.

• Data collection challenges include a lack of standardized measures for SDoH and ACEs, common data field definitions, or consistent approaches to data classification; security and privacy of protected health information; and IT development costs.
• Data-sharing agreements with internal and external sources will be critical for state Medicaid agencies to develop, while remaining mindful of protected health information regulations.
• Once data-sharing agreements are in place, these disparate data sources, with differing file structures and nomenclature, will require integration. The integrated data must then be able to identify and risk-stratify the target population.

For any evaluative approach or any APM to be effective, clear quality and outcome measures must be developed and adopted across all relevant partner organizations.

2. Eligibility. Reliable, integrated eligibility and enrollment systems are crucial points of identification and make it easier to connect to needed services.

• Applicants for one-benefit programs should be screened for eligibility for all programs they may need to achieve positive health outcomes.
• Any agency at which potential beneficiaries appear should also have enrollment capability, so it is easier to access services.

3. Payment models. State Medicaid agencies may cover case management services and/or targeted case management as well as health homes; leverage Early and Periodic Screening, Diagnostic, and Treatment (EPSDT) services; and modify managed care organization contract language to encourage, incent, and in some cases, require services related to the InCK model and SDoH. Value-based payment models, already under exploration in numerous states, include four basic approaches:

• Pay for performance—provider payments are tied directly to specific quality or efficiency indicators, including health outcomes under the provider organization’s control. 
• Shared savings/risk—some portion of the organization’s compensation depends on the managed care entity achieving cost savings for the targeted patient population, while realizing specific health outcomes or quality improvement.
• Pay for success—payment is dependent upon achieving desired outcomes rather than underlying services.
• Capitated or bundled payments—managed care entities pay an upfront per member per month lump sum payment to an organization for community care coordination activities and link that with fee-for-service reimbursement for delivering value-added services.

By focusing on upstream prevention, comprehensive service delivery, and alternative payment models, the InCK model is a promising vehicle to positively impact children’s health. Though its components require significant thought, strategy, coordination, and commitment from state Medicaid agencies and partners, there are early innovators providing helpful examples and entities with vast Section 1115 waiver development and Medicaid innovation experience available to assist.

As state Medicaid agencies develop and implement primary and secondary prevention, cost savings can be achieved while meaningful improvements are made in children’s lives.

Is your state Medicaid agency considering a Centers for Medicare and Medicaid Services (CMS) Section 1115 Waiver to fight the opioid epidemic in your state? States want the waiver because it provides flexibility to test different approaches to finance and deliver Medicaid services. The skyrocketing prevalence of substance use disorders nationwide calls for such flexibility and innovation to expand existing services for treatment and recovery. Although applying for an 1115 waiver can be daunting, here are some guidelines to help you succeed with implementation.

Be pragmatic
Be honest and pragmatic in planning discussions for the essential resources you need to have in place for a successful implementation. Ask yourselves who and how many people you need to involve to develop and execute each stage. Plan enough time to develop policies and agency protocols, make sure you have the right providers for your members, set provider rates, and then train the providers.

Ask hard questions
Once you identify key requirements to address first in your waiver, ask yourself what elements need to be in place to meet these requirements. Here are elements to consider and questions to answer:

• Fee-for-service and managed care organization (MCO) rates — new services, such as adult residential treatment services aligned with care standards (e.g., American Society of Addiction Medicine (ASAM®) levels), may require changes to reimbursement rates. What needs to happen to develop new rates? What obstacles do you anticipate and how will you overcome them?
• Care standards (e.g., ASAM® levels of care) and training your providers — consider what the levels mean given the range of providers in your state and the services your members receive. What is required to move to these standards? How you will work with providers to ensure adherence, including certification and training? What will this cost?
• Policy changes — your state’s Medicaid agency will need to revamp and create policies to cover the service expansion and other changes. How will you complete all necessary policy and protocol changes early enough to inform MCO and provider actions?
• MCO provider network adequacy — it’s worth investing the time in your application development to assess whether the MCOs serving Medicaid recipients in your state have the right mix of providers to ensure that you can fully implement the new service structure. How long should you give the MCOs for network expansion or recruitment?
• MCO care coordination guidelines — each MCO will have its own approach. How are you going to ensure adherence to your waiver’s vision of care coordination?
• Indicators — how will you evaluate the success of your program? How will you collect and analyze data? The earlier you determine how you will evaluate your program, the easier it will be to report on, and make improvements.

Get started
Applying for and implementing an SUD 1115 waiver is a complex and time-consuming process — but by dedicating the time up front to address the many details of time and resources, you’ll find implementation to be far smoother, and effective treatment and recovery services provided sooner for those who need it most. Our Medicaid team is here to help.

Read this if your organization is subject to HIPAA regulations.

For over two decades, the HIPAA Security Rule has remained largely unchanged, aside from extending its scope beyond covered entities to include business associates. During this time, cybersecurity threats in the healthcare sector have grown significantly, and the US Department of Health and Human Services Office for Civil Rights (OCR) has gained extensive enforcement experience.

To address evolving threats and regulatory challenges, OCR has issued proposed modifications to the Security Rule, introducing stricter security controls, mandatory encryption requirements, and a shift away from “addressable” implementation specifications. While these changes aim to improve data security, they also introduce new compliance burdens that could be challenging for many regulated entities.

Key proposed changes to the HIPAA security rule

1. Greater specificity in security requirements

Historically, the HIPAA Security Rule provided flexibility by outlining broad security categories without mandating specific implementation measures. While this adaptability allowed organizations to tailor their security programs, it also created compliance ambiguities and enforcement challenges. The newly proposed rule introduces more detailed and prescriptive requirements, including:

• Asset inventory and network mapping
  • Organizations must maintain a comprehensive inventory of technology assets, including identification, version, accountability, and location.
  • A network map illustrating the movement of ePHI across systems is required.
• Risk analysis and patch management
  • Annual review and update of risk analysis and risk management plans.
  • Mandatory patching of critical risks within 15 days and high risks within 30 days.
• Access control and workforce security
  • Termination of workforce access to ePHI within one hour of employment cessation.
  • 24-hour notification requirement when a workforce member loses access at another regulated entity.
  • New employees must complete security training within 30 days of system access.
• Network security and monitoring
  • Mandatory network segmentation to prevent lateral movement in case of a breach.
  • Real-time system monitoring to detect unauthorized activity and alert workforce members.
• Authentication and identity management
  • Mandatory multifactor authentication for system access and privilege changes.
  • Implementation of strong password policies aligned with industry standards.
• Security testing and incident response
  • Annual penetration testing and biannual vulnerability scanning to identify risks.
  • Establishment of a security incident response plan with annual testing.
• Backup and disaster recovery enhancements
  • ePHI backups must occur at least every 48 hours, with a 72-hour recovery time for critical systems.
  • Monthly testing of data restoration processes.

2. Elimination of “addressable” implementation specifications

Under the current rule, certain security measures are designated as “addressable,” meaning that organizations can implement them based on reasonableness and appropriateness, or document why an alternative measure was chosen. The proposed rule eliminates this flexibility, making previously addressable requirements mandatory.

Encryption of ePHI at rest and in transit will be required in nearly all cases.

Limited exceptions apply only when:

• A technology asset does not support encryption and the organization has a migration plan.
• A patient explicitly requests unencrypted communication and acknowledges the risks.
• Encryption is unavailable in an emergency situation.
• The system is FDA-regulated and certain conditions apply.

This raises concerns about operational feasibility, as the rule does not explicitly allow common unencrypted communications such as text-based appointment reminders or patient notifications.

3. Expanded documentation and compliance verification

The proposal significantly expands compliance documentation, verification, and reporting obligations. Regulated entities would be required to:

• Conduct annual security audits to verify compliance.
• Obtain written security attestations from business associates every 12 months, including:
  • A cybersecurity expert’s written analysis confirming technical safeguards.
  • A certification verifying the accuracy of the analysis.
• Review and test policies and procedures annually, including:
  • Patch management
  • Risk analysis updates
  • Workforce sanctions
  • Media disposal and reuse
  • Contingency plans

4. Stricter enforcement and compliance obligations

OCR is shifting toward greater enforcement accountability, making it clear that merely having a policy in place is no longer sufficient. The proposed rule would require regulated entities to:

• Demonstrate that security measures are actively deployed and operational.
• Ensure that implemented controls are continuously monitored and updated.
• Regularly test compliance through internal audits and external verification.

This change was prompted in part by a court ruling (University of Texas M.D. Anderson Cancer Center v. HHS), which found that OCR’s enforcement authority was limited when entities had encryption mechanisms in place but were not consistently using them. The new rule seeks to close that gap by requiring proof of actual implementation and functionality.

Implementation timeline and potential regulatory outlook for proposed HIPAA Security Rule changes

Public comments were due by March 7, 2025. If finalized, organizations will have 240 days to comply (60 days after the final rule is published, plus an additional 180 days). Business associate agreements must be updated within one year of the final rule’s effective date.

With the recent change in administration, there is uncertainty about whether the rule will be finalized under the new administration. However bipartisan consensus exists on the need for stronger healthcare cybersecurity. The Trump administration previously enforced the HIPAA Security Rule similarly to Democratic administrations. While Trump’s general approach is deregulatory, this proposal may still advance due to the ongoing threat of healthcare data breaches.

Key areas for stakeholder feedback

With the March 7, 2025, deadline approaching, regulated entities should evaluate the potential impact of the proposed changes and consider submitting comments to OCR on:

• Operational feasibility of annual policy reviews, audits, and compliance testing.
• Burden of obtaining written security attestations from all business associates.
• Additional exceptions for encryption mandates, particularly for patient-initiated communications.
• Clarification on shared security responsibilities in cloud computing environments.
• Refinement of the definition of “security incidents” to exclude unsuccessful breach attempts.

Next steps for regulated entities

Given the likelihood of increased enforcement, organizations should begin preparing now by:

• Assessing current security practices against the proposed requirements.
• Identifying gaps in encryption, risk analysis, and workforce training policies.
• Reviewing business associate agreements for necessary updates.
• Preparing for increased audit and verification obligations.
• Engaging in industry advocacy to ensure feasible and practical implementation standards.

By proactively addressing these upcoming changes, regulated entities can position themselves for compliance while minimizing operational disruptions.

BerryDunn’s healthcare consulting team has the expertise your organization needs to ensure compliance with HIPAA. Learn more about our team and services.

Read this if you are an administrator, compliance officer, or health information management/medical records professional at a Medicare skilled nursing facility.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services is responsible for ensuring patients’ rights to timely access to health records. Since the start of 2024, the OCR has issued two settlements with skilled nursing facilities (SNFs) under the OCR Right of Access Initiative. Both settlements were related to potential violations under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision, which requires that individuals or their personal representatives have timely access to their health information.

As a HIPAA-covered entity, a SNF must provide access to the individual’s protected health information within 30 days of receiving a request from the patient or the patient’s personal representative, such as a guardian. In both recent SNF right of access cases, the OCR noted that access was not provided to the patients’ personal representative in a timely manner (161 days and 323 days, respectively). 

Both settlements, which were published on the OCR’s website, led to the imposition of significant civil money penalties (CMPs) against the SNFs. In one case, the OCR imposed a CMP of $100,000, which was not contested by the SNF. In the second case, the SNF challenged the imposition of a $75,000 CMP and agreed to a $35,000 settlement.

Other non-financial outcomes of an OCR Right of Access Settlement

In addition to the financial and reputational implications of an OCR Right of Access Settlement, a SNF must also undertake the following actions:

• Revise and obtain the OCR’s approval of any noncompliant HIPAA policies and procedures (P&P) 
• Provide the OCR with copies of all training materials that the SNF must use to train its workforce about the revised HIPAA P&P
• Submit and obtain the OCR’s approval of the training plan outlining the topics to be covered, when the sessions will be held, and the names of the trainers
• Send a signed attestation to the OCR documenting when the trainings have been completed

Remember: 

• A patient or their personal representative may file a complaint directly with the Office for Civil Rights in writing, by email, by fax, or electronically via the OCR’s Complaint Portal. 
• Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the rule. The personal representative “stands in the shoes” of the individual and can act for the individual and exercise the individual’s rights.

Actionable items to help ensure compliance with the Privacy Rule

• Periodically (we suggest at least annually) check your SNF’s policies, procedures, and workflows that focus on access to medical records. We recommend you review:
  • Documentation of the turn-around times (TATs) for processing requests
  • The process for informing your patient or the patient’s representative, in writing and within the initial 30-day period if a request for records cannot be accommodated within 30 calendar days (only one extension may be made for an additional 30 days)
  • That the correspondence template provides a written statement of the reasons for the delay and the date when the SNF will complete its action on the request
• Confirm that your SNF’s access to medical records timelines complies with your state’s requirements, as they may be more restrictive than the federal regulations. For example, California requires a 15-calendar day turnaround time while Texas requires action within 15 business days. Be aware that the OCR issued a Notice of Public Rulemaking on December 10, 2020, proposing that its current 30-day rule be decreased to 15 days. This change in federal rules has not yet gone into effect, but it is still expected and your SNF should be prepared. 
• Maintain a log of medical records requests, including date received, person requesting, response due date, person responsible for completion of the request, and person assigned to review the record prior to release (such as Director of Nursing, Administrator) for completeness. 
• We also recommend reviewing BerryDunn’s resource, Best Practices for Responding to Medical Record Requests in Healthcare Compliance Insights.

Need help assessing your SNF’s HIPAA program? BerryDunn can help.

BerryDunn’s SNF operations, compliance, and HIPAA privacy experts can answer your questions and provide an external review of policies, procedures, workflows, and training tools. Please contact Trisha Lee, Robyn Hoffmann, or Olga Gross-Balzano. 

Resources

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#maximumflatfee 
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#nfd 
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/phoenix-healthcare/index.html

“Tell me and I forget. Teach me and I remember. Involve me and I learn.” — Benjamin Franklin

Investing in your staff is key to any successful organization. Having the wherewithal to be able to train a group of people, some willing and some unwilling, can be a daunting task. Yet, no matter how difficult to manage or how time-involving training is, it is an essential part of both a successful EHR go-live and maintenance of a system. No matter how technologically advanced the new EHR system may be, if an organization slacks on the training, it will never see the full return on investment of the cost of the system.

From years of implementation experience, I have compiled the five best practice methods to enable an organization to reach its maximal return on investment and user satisfaction with an EHR system.

EHR superuser training

A superuser doesn’t need to be the most technically savvy user, but they need to be able to be teachable and to transfer that learned knowledge to the other staff. These users should be the first to experience a new system. Oftentimes, some of these staff members would have been involved in the selection process. They are the organization’s first-line users and defenders of the new EHR functionality, and the ones that others turn to when they need help. Therefore, they are called super. For best results, there should be, at minimum, one superuser per specialty per every 15 users. At the time of go-live, these superusers need to be relieved of all their routine duties and focus on assisting the staff with the EHR adoption during the go-live dates.

EHR User Acceptance Testing (UAT)

It may say testing, but this is also a training method, and it should involve those already trained as superusers. UAT is time utilized as a field training exercise for your newly trained and specialty experienced superusers to test the system for proper process workflow in all fields of expertise. A testing script should be utilized for each process workflow and there should be room on that script for comments from the testers on improvements that need to be made prior to staff training. Each moment the superusers work on the testing scripts is a training exercise in navigating the system and making them comfortable with teaching their peers at the next venture.

EHR End User Training (EUT): The see, touch, and repeat approach

Training can be performed in many forms. As an organization, a decision on which format of training works best must be decided upon and then kept consistent. Methods of training could be in person, virtual, or online. The key to successful training, no matter which plan an organization chooses, is to involve the "see, touch, and repeat" approach to learning. Trainees should see the system in action, touch the keyboards or tablets and follow along with the instructor or through a written scenario, and repeat the processes multiple times at their own leisure in a testing environment. Implementing this method allows all generations of users in the organization to be properly trained on the new EHR.

In-person classes should be:

• Separated by specialty or process
• Involve manageable group sizes (one user per computer)
• Include a brief overview of the EHR
• Include a demonstration of the process workflow in action
• Be followed by the user repeating the process on their own device

If there are more than two hours of content to train on, the recommendation is to divide the training into smaller durations to maximize the effects of learning.

Virtual classes involve an instructor performing the same steps as in-person training, but the end user attends from their office or a designated learning area. These can be pre-recorded and the EUT can occur during the optimal time for the user to have complete devotion to the training. In these instances, logins to the testing/training site need to be given out in a separate communication, and these logins should be single-user available, as to avoid complications from locked accounts if many end users are training at the same time. A trainer needs to have availability for questions if this process is utilized.

Online classes involve pre-recorded demonstrations that are included with process workflow scenarios. In these, the end user goes to a training site and watches sections of demonstrations one at a time. At the end of each section, the user may rewatch the online demonstration as many times as they need to, but there must be a self-paced scenario that the user follows along to perform the touch and repeat portion of the learning. Additionally, there needs to be contact information for a trainer should there be issues or questions. Many organizations utilizing this method of training allow the end user access to these training videos for refreshers once the EHR implementation has occurred.

EHR Just In Time (JIT) and At the Elbow (ATE) training

The JIT/ATE training is essential during and post go-live. Once an organization implements the EHR, there is always going to be someone who did not complete the training. That is where the superusers become involved and train these individuals in their time of need. These short, microburst, JIT trainings may involve a superuser hovering nearby the new user as they navigate through a documentation for the very first time. ATE training involves a superuser reaching out to a user who has had training but may have forgotten steps involved to complete the documentation. These are the times that those superusers show how super they are.

Post implementation of the EHR, as the superusers resume their normal duties, there will still be a need for JIT/ATE training, and their expertise will be sought out after by their peers, further assisting in a successful adoption of an EHR. In addition to the superusers, if available, a dedicated informatics employee should be making frequent rounding, looking out for those who may be struggling with the EHR documentation processes and workflows, and performing JIT/ATE training at these discovered instances.

EHR training refreshers and audits

“There are no shortcuts to any place worth going.” – Beverly Sills

This final stage of training is continuous. Once you have an EHR, there will always be a need for training. No matter how successful your training may have been, habits and shortcuts to documenting in an EHR are bound to occur, and then spread throughout the organization. For the most part, these shortcuts result in mis-documentation; audits must be performed to determine how detrimental to proper documentation they are. Once the issues have been identified, the organization must determine how to correct the issue. Sometimes this involves going directly to the end user whose documentation is at subpar levels and performing JIT/ATE training. If it is widespread, a refresher course for all end users may be required to correct the issues. Sometimes a communication of corrective action may work in substitution for JIT/ATE training.

“Don’t decrease the goal. Increase the effort.” — Tom Coleman

Regardless of the effort, all end users should have a contact to reach out to for assistance post EHR go-live and the ability to access a training site as needed. New hire training sessions should continue to be optimizable on documentation.

BerryDunn’s team of consultants is happy to assist you with creating a Request for Proposal, selecting the right EHR vendor for your organization, developing communication, change management, training plans, and project management for the system implementation.

Read this if your organization has to comply with HIPAA.

We have been monitoring HHS Office for Civil Rights (OCR) settlements as part of the HIPAA Right of Access Initiative (16 settlements and counting) and want to dispel some myths about HIPAA enforcement. Myths can be scary. It would be pretty frightening to run into Bigfoot while taking a stroll through the woods, but sometimes myths have the opposite effect, and we become complacent, thinking Bigfoot will never sneak up behind us. He’s just a myth, right?

As we offer our top five HIPAA myths, we invite you to decide whether to address gaps in compliance now, or wait until you are in the middle of the woods, facing Bigfoot, and wondering what to do next.

Myth #1: OCR doesn’t target organizations like mine.

The prevailing wisdom has been that the Office for Civil Rights only pursues settlements with large organizations. As we review the types of organizations that have been targeted in the recent past, we find that they include social services/behavioral health organizations, more than one primary care practice, a psychiatric medical group practice, and a few hospital/health systems. With settlements ranging from $10,000 to $200,000 plus up to two years of monitoring by the OCR, can you really afford to take a chance?

Myth #2: I have privacy policies, procedures, and training protocols documented, so I’m all set if OCR comes calling.

Are you really all set? When did you last review your policies and procedures? Are you sure what your staff actually does is HIPAA compliant? If you don’t regularly review your policies and procedures and train your staff, can you really say you’re all set?

Myth #3: HIPAA gives me 30 days to respond to a patient request, so it’s ok to wait to respond.

Did you try to ship a package during the 2020 holiday season? If so, do you remember checking your tracking number daily to see if your gift was any closer to its destination? Now imagine it was your health records you were waiting for. Frustration builds, goodwill wanes, and you start looking for a higher authority to get involved. 

And beware: if proposed Privacy Rule changes to HIPAA are finalized, the period of time covered entities will have to fulfill patient requests will be reduced from 30 to 15 days.

Myth #4: If I ignore the problem, it will go away.

Right of Access settlement #10 dispels this myth: A medical group was approached by OCR to resolve a complaint in March 2019. Then again in April 2019. This issue was not resolved until October 2020. Now, in addition to a monetary settlement, the group’s Corrective Action Plan (CAP) will be monitored by the OCR for two years. That’s a lot of time, energy, and money that could have been better spent if they worked to resolve the complaint quickly.

Myth #5: OCR will give me a “get out of jail free” card during the pandemic.

As one of our co-workers said, “Just because they are looking aside does not mean they are looking away.” The most recent settlement we have seen to OCR’s Right of Access Initiative was announced February 10, 2021, showing that the initiative is still a priority despite the pandemic.

Are you ready to assess or improve your compliance with HIPAA Right of Access rules now? Contact me and I will help you keep OCR settlements at bay. 

Read this if you are at a rural health clinic or are considering developing one.

Section 130 of H.R. 133, the Consolidated Appropriations Act of 2021 (Covid Relief Package) has become law. The law includes the most comprehensive reforms of the Medicare RHC payment methodology since the mid-1990s. Aimed at providing a payment increase to capped RHCs (freestanding and provider-based RHCs attached to hospitals greater than 50 beds), the provisions will simultaneously narrow the payment gap between capped and non-capped RHCs.

This will not obtain full “site neutrality” in payment, a goal of CMS and the Trump administration, but the new provisions will help maintain budget neutrality with savings derived from previously uncapped RHCs funding the increase to capped providers and other Medicare payment mechanisms.

Highlights of the Section 130 provision:

• The limit paid to freestanding RHCs and those attached to hospitals greater than 50 beds will increase to $100 beginning April 1, 2021 and escalate to $190 by 2028.
• Any RHC, both freestanding and provider-based, will be deemed “new” if certified after 12/31/19 and subject to the new per-visit cap.
• Grandfathering would be in place for uncapped provider-based RHCs in existence as of 12/31/19. These providers would receive their current All-Inclusive Rate (AIR) adjusted annually for MEI (Medicare Economic Index) or their actual costs for the year.

If you have any questions about your specific situation, please contact us. We’re here to help.

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

• 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
• 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
• Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
• Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

• Require privileges granted be based on roles and responsibilities
• Require strong and complex passwords (exceeding those of normal users)
• Have passwords that expire often (30 days recommended)
• Implement multi-factor authentication
• Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.