Recently, my colleague Anthony Murray and I presented Watch List: 2021 Privacy and Security Trends as part of the MRO 2020 Webinar Series. During this presentation, we highlighted the key areas of privacy and security within health information management (HIM) that professionals should be aware of during 2021.
First, I discussed the trends we should see in the privacy arena:
- HIPAA Notice of Proposed Rulemaking (NPRM)—Since HIPAA has not been updated for many years, it was time to address gaps between the existing HIPAA rule and the new Interoperability rule. Although the NPRM has since been released, there is still time for things to change. Looking ahead, I encourage you to take advantage of our upcoming webinar in March on this specific rule, where I will analyze the details with my colleague Angela Rose.
- Patient Right of Access—A new policy change that also came out of gaps within HIPAA was the Patient Right of Access, which allows patients to more easily get their records for themselves or direct them to a third party. An item of note from 2020 was the Ciox v. Azar case, which determined that if the third party is not making healthcare decisions for the patient, then the third party can be charged state rates to get the records. To ensure patients access to their medical records, the Office for Civil Rights (OCR) has cracked down on enforcement of this rule. To put this into perspective, we have seen 14 actions since August of 2020. As this is another hot topic for 2021, I encourage you to attend my upcoming webinar in February on this specific issue.
- New Patient Identifier—While this is not a new concept, AHIMA, AHIOS and other associations recently expressed their support for its implementation. Though some people argue that NPIs could threaten patient privacy, we should be on the lookout for this to make some headway in 2021.
- Interoperability—We have spoken a lot about this topic in 2020, and it will continue to be a hot topic for 2021. All HIM leaders need to look at their processes and the requirements of the rule in preparation for compliance and enforcement coming in 2021! To find out more and assist in your preparations, visit our 2020 Information Blocking Webinar Series landing page, and stay tuned for more sessions in 2021.
Next, my colleague Anthony Murray discussed security trends for 2021:
- COVID-19 Effect—As many of us know, there was a telehealth boom in 2020 due to the pandemic. And because telehealth is likely here to stay, organizations must prepare for updated regulations and guidelines regarding telehealth vulnerabilities, such as breaches. Currently, the OCR is not pursuing breach penalties because we are still considered to be in a national public health emergency. However, that time is ending and we can expect enforcement to resume in 2021. This means that all organizations should make sure their policies and procedures are in place. To ensure your organization is ready, it is critical to complete a risk assessment, document potential risk, and conduct employee education and training. For more telehealth tips and ideas, visit the webinar Anthony and Angela presented in October 2020.
- Ransomware—In October 2020 an alert was released regarding the tactics, techniques and procedures used by cybercriminals targeting the healthcare sector to gain access to protected information. These bad actors use ransomware, a form of malware designed to encrypt files on a device, rendering any files and systems unusable. These malicious actors then demand a ransom in exchange for decryption or release of the information. While the exact motive is usually unclear, they typically do it for espionage or financial reasons. Organizations now need insurance to cover a ransomware attack resulting in payment to the bad actors. Once they are paid, they continue to use ransomware to make more money. To prepare your organization, we recommend four steps: establish a plan, run tests, provide education and create a backup plan.
- Other 2021 Predictions:
- 5G networks—While it’s a great thing for many individuals, remember that bad actors will also have access to this new and improved network function. As this continues to roll out, security teams should monitor these networks to protect their organizations.
- Cybertechnology—AI and machine learning will help us in threat detection, but again, bad actors will also have access to this technology.
As we look forward in 2021, it is imperative that we all stay on top of privacy and security trends by remaining vigilant, compliant and safe in our daily operations. I encourage you to view the recording of this presentation, and stay tuned for many more webinars to come in 2021. Education is essential to preventing any privacy or security mishaps.
To register for the playback recording of our webinar, click here.
Recent Posts
Join our mailing list
National Cybersecurity Awareness Month: Protecting Your Online Presence During COVID-19
By Anthony Murray and Christopher Lombardo
October is National Cybersecurity Awareness Month, which was launched in 2004 by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance. This year more than ever, cybersecurity is extremely important in keeping individuals and companies safe when online. Protect your online presence this month and beyond by following the tips below.
Connect and Protect
In today’s world, the line between our online and offline lives is no longer clear. While this situation creates opportunities, it also creates many challenges for individuals and organizations around the globe. To reduce your security risk, make sure to regularly update your security software, browsers and operating systems. And set up auto-updates for all of your home devices, so they are always up to date.
All internet-connected devices are a possible entry point for a cyber criminal. Therefore, if you connect it, you’ll need to protect it. For example, earlier this year Ring doorbells were hacked because updates were not applied and strong passwords were not used. Examples of such devices include GPS/distance trackers, fitness and medical monitors, Wi-Fi enabled baby monitors, home security cameras, climate and lighting control systems, and smart appliances. Though we may not think about some of these things being susceptible to hacking, they are often targeted by cyber criminals. To stay safe, keep your devices up to date, frequently change your password and even update your home network security.
Phishing Awareness
Links in emails, tweets, texts, posts, social media messages and online advertisements are the easiest way for cyber criminals to get your sensitive information. Be wary of clicking on links for downloading anything that comes from a stranger or that you were not expecting. If you receive an enticing offer via email or text, don’t be so quick to click on the link. Instead, go directly to the company’s website to verify it is legitimate. If you’re unsure who an email is from, even if the details appear accurate, do not respond and do not click on any links.
- Follow your gut. If it doesn’t look right—the message is too good to be true, for example—trust your instincts.
- Is the message directly aimed at you? What does the salutation say? Could it be sent to anyone? Of course, knowing your name isn’t always a sign that an email sender can be trusted, but not knowing is a good starting point.
- What are they requesting? Spoofed emails are finely crafted to trick you into giving up your login information for important sites, like your bank account. Have a level of distrust and don’t blindly click a link to log in to important accounts without verifying the URL is correct.
- Are they trying to scare you? This is a favorite tactic for hackers. Maybe they’re telling you your account has been breached, or a payment was rejected. They want you to take action without thinking. Don’t be fooled. Take a moment and think things through.
- How’s their spelling? Yes, the bad guys are getting better with grammar, but poorly written messages are still a sign something is phishy.
Securing Devices
2020 saw a major disruption in the way many people work, learn and socialize online. Our homes and businesses are more connected than ever. With more people now working from home, these two internet-connected environments are colliding on a scale we’ve never seen before, introducing a whole new set of potential vulnerabilities that users must be conscious of. Week 2 of Cybersecurity Awareness Month will focus on steps users and organizations can take to protect internet-connected devices for both personal and professional use.
Passwords
- P@s$w0rds_d0n’t_hav3_2_b_th!s_Complic@teD! Seriously, who can remember that? Make your password a passphrase. Remember that length trumps complexity when creating a strong passphrase.
- When it comes to passphrases, it’s best to mix it up. Keep them long, easy to remember and unique for each account.
- No matter how long and strong your passphrase is, a breach is always possible. Make it harder for cyber criminals to access your account by enabling multi-factor authentication.
Applications
- Do all of your apps need to track your location? No! Take a moment now to configure the privacy and security settings of your apps and, while you’re at it, help someone in your household configure theirs.
- Do you know how many of your apps access your contacts, photos and location data? Time to find out! Configure your privacy and security settings to limit how much data you give away.
- Enable automatic app updates in your device settings so your software runs smoothly and you stay protected against cyber threats. Don’t ignore a software update. It can be what protects you from a cyber criminal.
- Keep all software on all internet-connecting devices current. This improves the performance of the devices and your security.
- Rules for keeping tabs on your apps: 1) Delete apps you don’t need or no longer use. 2) Review app permissions. Limit how much data you share with the app. 3) Only download apps from trusted sources.
Social Media
There are few people today who don’t have a social media presence. Cyber criminals know that, and they especially love it when you overshare on social media. They can learn all about you! Be cyber smart and make it harder for them by avoiding posting real names, places you frequent, and your home, school and work locations. Keep Social Security numbers, account numbers and passwords private, as well as specific information about yourself including your full name, address, birthday and even vacation plans. Disable location services that allow anyone to see where you are—and where you aren’t—at any given time. Connect only with people you trust. While some social networks might seem safer for connecting because of the limited personal information shared through them, limit your connections to people you know and trust. Remember, there is no delete button on the internet. Share with care, because even if you delete a post or picture from your profile seconds after posting it, chances are someone may have seen it.
Disinformation
We live in a world of facts and information that we use to form our opinions and make decisions. Sometimes those facts are incorrect, and we make poor decisions. But what if the information we receive is maliciously created to be incorrect?
Disinformation campaigns aren’t limited to individual victims and are often created by sophisticated groups. Organizations are often targeted, resulting in great harm. Here are three reasons why:
- Damage to reputation: Some attacks are intended to damage an organization’s reputation and create ill will with its customers.
- Financial gain: Some attacks are created to allow the scammer to profit financially. One example is known as a “pump and dump,” where false press releases and social media are used to promote a company and pump up its stock value. Then the scammer sells, or dumps, the stock for a large gain.
- Destroying public confidence: Some attacks are carried out by foreign actors, countries and individuals, looking to harm organizations in other countries and drive customers to competitors that they prefer.
How do hackers pull off disinformation?
- Bots: Bots, short for computer “robots,” are software programs that can perform automated tasks and can mimic typical online human actions, such as making, liking and sharing social media posts. Computers infected with malicious bots can be used to spread disinformation and inflate the popularity of selected posts and items.
- Deepfakes: Deepfakes are audio files, videos or photos that have been tampered with to look and sound like something they are not.
- Targeting: Targeting takes all of the information available about you and makes predictions about disinformation you might be receptive to.
- Trolls: Trolls are Individuals who deliberately say false things online to cause negative reactions, create controversy and ruin reputations.
This year, more than ever before, cybersecurity has played an integral part in the daily lives of many people. And though National Cybersecurity Awareness Month is observed during October, the advice provided here can and should be used all year round. Thought leaders are constantly publishing new best practices to keep you safe at home personally and professionally. As we continue to live in a virtual world, cybersecurity should always be top of mind.
I encourage you to register for our upcoming webinar, presented by myself and my colleague, Angela Rose, Security in a Virtual Environment: Protecting Your Workforce at Home.
Recent Posts
Join our mailing list
MRO at the First Ever Virtual American Health Information Management Association Conference
As we approach AHIMA20, MRO is excited to participate as an exhibitor for the first ever virtual conference. While the 2020 event looks very different from those in previous years, MRO’s industry experts are ready to meet with the health information management (HIM) professionals virtually attending this year. If you are not attending but want to learn more from our experts, we will be available to meet during the conference days.
Health Information Management Current Event Topics
During virtual exhibit hall hours, members of MRO’s leadership will be available for virtual meetings to discuss various HIM current events, including the following topics:
- Business Office
- HIM Life in a COVID World
- Information Blocking and Interoperability
- Privacy and Compliance
- Remote Workforce Operations
- Remote Workforce Security
- Workforce Training
Health Information Management Presentations
If you’re looking for an educational session with our experts, attend these presentations:
Guide to Protecting Patient Data in the EHR
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, VP of Privacy, Compliance and HIM Policy, MRO
Greg Ford, Associate VP of Requester Relations, MRO
Friday, October 16, 2020 at 2:55 pm central time
Rita and Greg will explore the challenges and responsibilities for health information management in sharing patient data. They will highlight both benefits and disadvantages of process management and identify key stakeholders and their responsibilities in safeguarding PHI from inappropriate collection and use from payers.
Collaborating for Efficiency: Proven Methods to Improve Workflow, Reduce Costs and Mitigate Risk in the Revenue Cycle
Dawn Crump, MA, SSBB, CHC, Senior Director Revenue Cycle Solutions, MRO
Lauren Wall, RHIT, HIM Manager of Shared Services, Steward Healthcare
Thursday, October 15, 2020 at 8:30 am central time
Dawn and Lauren will summarize lessons learned from real-world experiences that bridge communication gaps and integrate functionalities within the revenue cycle, business office and HIM. Attendees receive valuable tips to improve workflow, reduce cost and mitigate risk, resulting in positive financial outcomes for healthcare organizations.
Meet MRO at AHIMA
MRO has been exhibiting at AHIMA every year since 2004. During this first ever virtual event, we are looking forward to learning about industry trends from fellow thought leaders and being able to virtually interact with all our clients and friends. We hope to see you (virtually) there!
To schedule a meeting with our industry experts, visit our AHIMA20 site, here.
Recent Posts
Join our mailing list
HIM Workforce Training Webinar Recap
As part of the MRO webinar series this year, I recently presented HIM Workforce Training: Developing an Engaged Team. During this presentation, I discussed best practices for training and retaining your employees based on the evolving health information management (HIM) landscape which demands new skill sets and coping with the new normal for the workforce.
Health Information Management: New Hire Checklist
Since the first step of an employee’s journey with a company is the onboarding process, using a new-hire checklist is critical. This document should include facility orientation topics, a job description, policies and procedures, systems, and any important forms. Other areas of consideration throughout the employee’s entire journey with the company are HIPAA, compliance, customer service, department functions and record lifecycles.
Lesson Plans Through Video and Slides
Creating lesson plans based on specific employee roles is an easy way to stay organized and keep a record of what employees are learning. For example, a lesson plan on “The Medical Record” designed to cover topics such as encounters, common documents, corrections and amendments, confidentiality and legal issues, and legal health record versus designated record set can be a good start for an overview of HIM topics. Switching it up with slides, documents, and videos across categories helps to keep the employees engaged and interested in the content. When confronted with a decision about how to teach a topic, always choose a video because people enjoy them the most. Also, don’t forget to quiz your employees along the way to make sure they retain what they are learning.
Training Video Content on HIM and ROI
I encourage you and your staff members to create your own videos. If you have an employee expert on a topic, engage them to produce a video for you. It engages the team and they will feel connected through their coworker. Other organizations, such as OCR and AHIOS, provide excellent video content. It’s a good idea to continually check such sites for updated training videos that you can use for your own workforce. Many videos covering HIM topics, especially customer service, are available on YouTube.
Create Relatable Stories for More Memorable Lessons
When teaching employees about important topics, telling a story that is easily remembered can be helpful. For example, to drive the point about HIPAA and confidentiality, talk about finding out your neighbor had a baby. If your neighbor’s husband tells you she had a baby, you can tell the world, because her husband told you directly. If you find out your neighbor had a baby because you see her name on the hospital admissions list, then you cannot share that information because you learned it through your job, making it confidential per HIPAA. I find that employees are more likely to remember a simple yet impactful story.
Mixing up the trainings with games, quizzes, and anything fun is a good way to engage employees to enjoy learning. For example, have employees play a security game where a hacker is trying to get to an unsecured computer before they do, or perhaps play HIPAA Jeopardy.
Stronger Training Programs for Stronger Future Leaders
As employees continue to work for your organization, it is important to create training programs that further develop their skills. These programs will vary depending on specific job functions. Create plans, especially leadership development plans, to grow your future leaders.
During the webinar presentation, I provided valuable videos and resources that can be used for employee development and engagement activities. To get the most from these valuable resources, I encourage you to request the playback along with the slides.
To learn more about developing an engaged workforce, complete the form below to request playback.
Recent Posts
Request webinar playback for HIM Workforce Training: Developing an Engaged Team
HIM Life in a COVID World: Health Information Management Webinar Recap
MRO recently kicked off the 2020 webinar series, focusing on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of protected health information (PHI). My colleague Angela Rose and I recently presented the first webinar of the series, Optimizing and Maintaining Operations and Workflows: HIM Life in a COVID World. During this presentation, we explored the new normal for health information management (HIM) professionals during the ongoing pandemic.
Current Health Information Management Environment
Since the beginning of COVID-19, many things have changed in the healthcare environment. More people are working from home, telehealth visits have skyrocketed, and there has been increased demand on hospitals and health systems. Moreover, shortages of supplies and resources, as well as exhausted and limited staff, have put the healthcare industry to the test.
We have also seen many laws and restrictions put into place, or changed altogether, resulting in the need to stay up to date with the latest changes. For instance, many organizations need to review what disclosures are permitted when releasing PHI during a pandemic. Some of those permitted disclosures include the following:
- To provide treatment
- To notify a public health authority to prevent or control spread of disease
- To alert first responders at risk of infection
- To prevent/lessen the threat to the health and safety of a person or the public
- To assist a law enforcement official or correctional institution – Only when the PHI is needed for: providing healthcare to the individual or protecting the health and safety of other individuals present including the person transferring the individual, the law enforcement on site, and the administration at the site
- When required by law
Recently, the HHS released statements regarding the release of PHI to the media, as well as contacting former COVID-19 patients about blood and plasma donations. There has been absolutely no change to the rule that PHI cannot be disclosed to the media, including film footage where patients’ faces are blurred or masked. However, the HHS did release a statement that contacting a patient about blood and plasma donations is permitted under HIPAA as a population-based healthcare operations activity, provided it does not constitute marketing. I recently wrote a blog post about that topic, which you can read here.
Telehealth – Changing Environment
In February 2020, prior to the COVID-19 outbreak, only 0.1% of Medicare primary visits were via telehealth. Fast forward to April 2020, and telehealth accounted for 43.5% of those visits. Another survey of about 300 practitioners, including primary care and specialists, indicated that prior to the pandemic, only 9% of patient interactions were via telehealth. That number jumped to 51% during quarantine, and increased across many specialties including psychiatry, gastroenterology and neurology. In July 2020, the HHS published a comprehensive study on Medicare beneficiary use of telehealth visits, including early data from the start of the pandemic.
Looking forward, there will be a permanent place for telehealth. As patients use telehealth, which is easy and convenient, it will become increasingly difficult to take that option away. Therefore, policies and procedures must be put into place to appropriately account for telehealth. Business associate agreements should be reevaluated as part of that process. Many thought leaders in the healthcare industry predict the need for a new executive position within hospitals and health systems—Chief Telehealth Officer.
Release of Information
We are now about six months into the pandemic, and half of the walk-in windows at hospitals are closed. While some had reopened, many closed again. As a result, many alternative workflows are still in place. To receive record requests, facilities are using secure onsite drop boxes and mail as well as virtual electronic options including fax, email and portals. For delivering requests, options include minimal-contact, in-person appointments and virtual electronic options—fax, email, portals and electronic submission such as esMD, SFTP and ERE.
While most workforces are still temporarily operating remotely, many will remain that way permanently. Ensuring your teams are ready means having policies and procedures for the following areas:
- Home workspace requirements
- Devices and connectivity
- Use and disclosure of PHI
- Reporting incidents
- Work days/hours
- Expenses
- Help
- Sanctions
Readiness also requires proper education and training. For instance, there has been a major uptick in fraudulent emails, phone calls and even text messages. Organizations must make sure that all employees know what fraud looks like, and how they can maintain a safe working environment while at home. In fact, my colleagues Angela Rose and Anthony Murray will be presenting Security in a Virtual Environment: Protecting Your Workforce at Home on October 21, 2020.
Thought Leadership
If you are looking to be a thought leader within your organization during the pandemic, there are important factors to keep in mind. Know your environment by understanding your organization’s policies and protocols including response times, action items, workforce exposure protocols, sanitization schedules and contamination controls. Knowing how to communicate both internally and externally regarding these procedures is also essential to becoming a thought leader.
Another important piece is thinking outside the box to achieve success. Adjust KPIs and benchmarks based on realistic, attainable goals. Look at your KPIs pre-pandemic, measure what is going on now and then re-identify appropriate benchmarks. Also be sure to hold regular meetings and touch base with your workforce. To make your meetings more interactive, include video so you can connect with your teams more personally, and make sure they’re engaged and productive during the calls.
Above all, communicate and stay current on what’s going on in the industry. Continue to attend webinars and learn more from other thought leaders in your field. Here at MRO, we will continue to provide thought leadership and educational sessions to keep you up to date on current events.
To learn more about HIM life in a COVID world, complete the form below to request playback.
Recent Posts
Request webinar playback for Optimizing and Maintaining Operations and Workflows: HIM Life in a COVID World
Information Blocking: MRO’s Webinar Series Recap
Recently, MRO hosted a webinar series on the 21st Century Cures Act focusing on the Information Blocking Rule and Interoperability. I joined other industry experts to provide highlights of the rule, take a closer look at the technical requirements, and analyze the impacts on HIPAA.
While the series has come to an end, the recorded playbacks of each session are still available for download, and to earn 1 CEU per session. For those who did attend, this blog is a recap of the entire series. And for those who did not attend, below is a sneak peek at the information you can learn from the recordings. Our goal is to help clear up some of the current confusion related to the rules.
How did we get here?
In order to understand where the rule originated, we must first look at the history of information blocking according to the Office of the National Coordinator (ONC). Complaints received at health IT developers included fees for sending, receiving or exporting electronic health information (EHI), charging for common interfaces and pricing designed to deter connectivity, to name a few. On the other side, complaints against providers included instances of controlling referrals to enhance market dominance, and the reference of HIPAA to deny the exchange of EHI.
Due to these unsolicited complaints, the ONC decided to release key recommendations in April 2015. These recommendations included the following:
- Constrain standards and implementation specifications
- Ensure greater transparency in certified health IT products and services
- Provide governance rules that deter information blocking
- Improve understanding of HIPAA privacy rule and security standards related to information sharing
- Work with CMS to coordinate healthcare payment initiatives and leverage other market drivers that reward interoperability and discourage information blocking
- Promote competition and innovation in health IT and healthcare
As a result, the 21st Century Cures Act was created. The key objectives include accelerating drug and medical device development, addressing the opioid crisis, improving mental health service delivery and enhancing nationwide interoperability of EHRs.
To download our infographic explaining the rule, click here.
Information Blocking Rule Details
While this rule does impact healthcare providers, health IT developers of certified health IT and health information networks/health information exchanges, it does not necessarily impact business associates. It is imperative that business associates determine whether they are considered an “actor” and required to comply. Impacted entities must certify that they:
- Do not engage in information blocking
- Provide assurances that developer or entity will not engage in information blocking
- Do not prohibit or restrict certain communications
- Publish APIs and allow health information to be accessed, used and exchanged without special effort through the use of APIs
- Conduct real world testing
- Ensure attestation is completed
As defined by the rule, the above applies to electronic health information (EHI)—all electronic information regarding the patient’s health information as defined in the facility-specific electronic designated record set (DRS). The definition of EHI is based on how an organization defines their DRS. If it’s not properly defined, the definition is left open to interpretation.
Defining the DRS is a requirement under HIPAA and is a key component to ensuring the patient has appropriate access to their healthcare. Beginning in 2022, the scope of EHI will be broadened so it’s important to understand the rule and its requirements.
Some Exceptions
The rule did finalize eight exceptions, divided into two categories. The first category involves not fulfilling requests to access, exchange or use EHI, and includes:
- Preventing harm – aligns with HIPAA’s harm exception but must be consistent with organizational policy
- Privacy – protecting an individual’s privacy
- Security – protecting the security of EHI
- Infeasibility – meeting one of the requirements noted in the rule with a response provided to the requester within 10 business days of request receipt specifying the infeasibility exception
- Health IT performance – scheduled maintenance or downtime due to a security risk
The second category involves fulfilling requests to access, exchange or use EHI, and includes:
- Content and manner – fulfilling a request in an alternative manner if unable to fulfill as requested
- Fees exception – charging fees related to costs, which is not to be based on competition with another actor, but instead based on objective and verifiable data uniformly applied
- Licensing – actors protecting the value of their innovations and charge reasonable royalties in order to earn returns on the investments they have made to develop, maintain and update those innovations
Actions to Consider
Now that the rule is final and the first pieces of compliance are approaching in November 2020, organizations must consider the best course of action forward. A great resource that I highly recommend is The Sequoia Project, which is continually updating its resources page for the HealthIT community. They are providing additional webinars, toolkits and reports.
MRO will also continue to publish relevant content around the information blocking rule and interoperability. My colleague Rita Bowen will present Information Blocking Rule: The Impact to HIM later this year on November 18, 2020. Be sure to mark your calendar!
Above all else, remember the basics for creating or updating a compliance program. Begin with the end in mind. What are your goals? Determine whether your organization is considered an actor. Review your current program and determine what modifications or new items are needed to remain ahead of the game. Make the changes and implement them through education and training.
To learn more about the information blocking rule from our panel of industry experts, complete the form below to request playback for the entire series.
Recent Posts
Request webinar playback for the entire Information Blocking series
Recent Guidance on Contacting COVID-19 Patients for Blood Donations
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently issued guidance on how providers can contact former COVID-19 patients regarding opportunities for blood and plasma donations. Though healthcare providers can use Protected Health Information (PHI) to identify and contact previous patients, specific guidelines should be followed.
What the guidance outlines
Contacting previous COVID-19 patients to notify them of opportunities for donating blood and plasma is allowed in order to assist healthcare providers in collecting antibodies for treatment of other patients with COVID-19. The use of PHI for this purpose is permitted as a population-based healthcare operations activity, as outlined in the HIPAA Privacy Rule for HIPAA covered entities and their business associates. Furthermore, facilitating the supply of donated blood and plasma is expected to improve the provider’s ability to conduct case management for patients who have been infected with COVID-19.
However, safeguards remain in place when contacting previous COVID-19 patients. The provider can contact its previous patients for this purpose, without authorization, to the extent that the activity is not considered marketing. As defined by HHS, marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. However, under one exception, a covered healthcare provider is permitted to make such a communication for the population-based case management and related healthcare operations activities, provided there is no payment associated with the activities.
Additionally, providers are not permitted to share PHI with third parties. For example, a provider cannot release a patient’s PHI to a blood and plasma donation center so that the center can contact the patient for its own purposes, such as collecting the blood and plasma for a profit. For such a transaction to occur, the provider must receive the patient’s authorization prior to making the disclosure of PHI.
For more information, the complete guidance can be found here.
Recent Posts
MRO’s Special Webinar Series: Information Blocking
MRO’s four-part special webinar series regarding the Interoperability Rule will teach attendees how this rule helps healthcare data and systems become more standardized, so that data can be exchanged seamlessly. Even if you and your organization are already making strides toward achieving interoperability at your facility, you can benefit by continually learning more. The Interoperability Rule, which consists of over 1,200 pages, probably seems daunting. Therefore, we created these expert-led sessions to break down the rule for you, since the rule has major compliance implications that your organization needs to prepare for.
Highlighted below are the four sessions included in our webinar series.
Information Blocking and the Interoperability Rule
Information Blocking: Setting the Stage – Lauren Riplinger, AHIMA
The first session of the Information Blocking webinar series, presented by an AHIMA staff member, provides an introduction by setting the stage for the other sessions. Attendees will learn the history of information blocking as well as the legislative background of the 21st Century Cures Act. They will also take a deep dive into the intended goals of the rule, and how the ONC got to the current state we are in.
Information Blocking and Interoperability: Decoding API Elements, Incompatibilities, and the Role of HIM in Technical Developments – Jeff Smith, AMIA and Diana Warner, MRO
The second session of the Information Blocking webinar series breaks down the technical developments and considerations from the ruling. Jeff Smith from AMIA will highlight the informatics and the technical compatibility requirements, as well as delve deeper into the technical aspects of the ruling and what it means for supporting CIOs and their teams. Specializing in information governance, Diana Warner from MRO will then guide attendees through the special considerations for HIM teams.
Information Blocking and HIPAA: Road to Compliance – Rita Bowen, MRO and Angela Rose, MRO
The third session of the Information Blocking webinar series, presented by two of MRO’s industry experts, analyzes the rule with a focus on HIPAA. Attendees will be immersed in a discussion around critical aspects of the rule and explore ways to operationalize its requirements to achieve compliance. Furthermore, they will take away tips and strategies to share with their organizations to guide planning efforts for success.
Information Blocking: Looking Ahead – All Webinar Presenters
The fourth and final session of the Information Blocking webinar series features a roundtable panel discussion from all the previous presenters. This session will briefly summarize what attendees learned during the first three sessions, as well as discuss what comes next. Attendees will learn practical enforcement mechanisms, OIG timing and enforcements, and possible penalties. The expert panel will also provide answers to the most frequently asked questions from the entire series.
Please join us for the first webinar, presented by Lauren Riplinger, JD, from AHIMA, Information Blocking: Setting the Stage, on June 11, 2020 at 2 pm ET.
Recent Posts
Security Awareness: How to Remain Safe While Working from Home
As our current climate continues to change day by day, I thought it would be beneficial to share some best practices for security awareness. While this is certainly not all encompassing, many of these practices can be applied not only to your organizations, but also in your personal life as well.
Working from Home
Due to the COVID-19 pandemic, many of us are now working from home. Unfortunately, cyber criminals will continue to target individuals and organizations with phishing campaigns in the hopes of exploiting vulnerable systems and services. While working from home, everyone must remain vigilant and keep an eye out for suspicious activity. Here are some of the most effective ways to protect yourself while working at home:
- Secure your wireless network router at home, and make sure to change the default admin password. Also enable WPA2 encryption and use a strong WiFi password for the wireless network that you created.
- Be aware of all the devices you have connected to your network, including baby monitors, gaming consoles, Alexa, Google Home, TVs, appliances or even your car. Ensure that each device is protected by a strong password and that the operating system is kept up to date. You should enable automatic updating whenever possible, so that you don’t forget. This includes your cell phone and computer as well.
- Make sure every account has a separate, unique password. If you can’t remember all your passwords, consider using a password manager to securely store all of them for you. Some of our (free) favorites include LastPass, Dashlane and Keeper.
- Keep your account secure by using multi-factor authentication or two-factor authentication. Whenever this feature is offered, you should absolutely use it. When you login, both your password and a code sent to your mobile device are needed. For example, you might use it for banking, Gmail, Dropbox and various social media sites.
- Make sure antivirus software is installed on your personal computer. Chances are your work computer already has this software from the corporate level. Some free options for personal computers (Windows, Mac and even smartphones) include Sophos Home, Bitdefender and Avast.
- Use your common sense! If an email, phone call or online message seems odd, suspicious or too good to be true, then it probably is.
Using Social Media
While most people use social media for personal reasons rather than for business, almost everyone has a LinkedIn account which is considered social media but designed for work purposes. Regardless of the social media platform you use, here are some friendly reminders to ensure stronger security awareness:
- Use social media wisely. Once it’s out there, it will never permanently come down, even if you think that it has!
- Apply the strongest privacy settings possible to ensure your privacy and protection.
- Enable multi-factor authentication. If someone is trying to hack your account, you will know immediately and can remedy the situation quickly.
- Don’t share personal information on business accounts. And don’t share business information on personal accounts.
Being Hacked
If you are working from home, and believe you have been hacked, how can you tell? This can be more challenging if you’re accustomed to being in the office and reporting an issue to your IT/Security team in person. Here are some signs that you’ve been hacked:
- Your antivirus program triggers an alert. That’s why you should always install an antivirus program.
- Your password no longer works, but you know it is correct.
- You get a pop-up message stating that your computer is infected, and you must pay a ransom or call a phone number to fix the problem.
- You believe that you have accidentally installed suspicious or unauthorized software.
- Your friends and coworkers are receiving odd messages from you, that you never sent.
- Your browser takes you to a random website that you can’t close.
Maybe more important, what can you do if you believe that you have been hacked? If your equipment in question is from your organization, always consult the appropriate department or person. At MRO, our employees are directed to contact the IT department. Don’t try to fix the problem. Stop what you are doing and report the problem right away. If it’s your personal equipment that has possibly been hacked, contact a local business for assistance. However, if an account such as LinkedIn has been hacked, then contact LinkedIn support for assistance. Getting help from a knowledgeable professional is always the best course of action when you are hacked.
Whether you are working from home or using a personal device for leisure, being proactive and vigilant can help both your organization and you practice better security awareness and protect your important online accounts.
Recent Posts
Step Up in Crisis
There are times in a person’s life where resilience is tested. As I reflect upon this pandemic, I feel hopeful. I say this because time and time again, we Americans have risen to challenges such as natural disasters, 9/11, the Great Depression, rationing during wars, etc. I remember the extraordinary story of people forming a human chain into the ocean to rescue someone drowning. I remember how I was assisted after Hurricane Katrina and we recently saw volunteers lined up in Nashville to assist tornado victims. One of my city leaders said, “We have to face this with storm coming mentality. That’s when we check on our neighbors and make sure they have a plan, especially elderly neighbors. Let’s make sure they have groceries or whatever they need to stay home and stay safe.” I love this sentiment- that in a crisis, we band together where the fate of us all matters more than the individual. Surrender the ME to WE!
In wars, natural disasters, or pandemics, we are called upon to be our best selves. It’s time for you to ask the question, “How can I be my best self in this pandemic?” Staying calm and collected is important. Anxiety about the future just inflames your immune system. Live in the present. The past is done, the future cannot be controlled, but the present is the state in which to live and appreciate the little things. Minute by minute, hour by hour, day by day. Preparation is important in a possible quarantine situation. Yes, buy groceries for a couple of weeks, but don’t hoard. I know someone who was worried about families who don’t have childcare, and she decided that she would volunteer to babysit. How generous, she will make a difference and leave this world a better place.
Psychologist Gretchen Schmelzer wrote, “For most people worldwide, this virus is not about you. This is one of those times in life when your actions are about something greater, a greater good that you may never witness. A person you will save who you will never meet. This isn’t like other illnesses and we don’t get to act like it is. It’s more contagious, it’s more fatal—and most importantly, even if manageable, it can’t be managed at a massive scale anywhere. We need this to move slowly enough for our medical systems to hold the very ill so that all can be cared for. There is still cancer, heart attacks, car accidents and complicated births. We need to be responsible because medical systems are made up of people and these amazing healthcare workers are a precious and limited resource. They will rise to this occasion and work to help you heal. They will work to save your mother, father, sibling, grandparent or baby. For that to happen, we have important work to do. Yes, you need to wash your hands, stay home if you are sick and comply with all social distancing rules. But the biggest work you can do is to expand your heart and your mind to see yourself and your family as part of a much bigger community that can have a massive impact on the lives of other people.”
I’ve already seen amazing stories happening- the patron who left a $3,000 tip at a restaurant for workers to split, people delivering groceries to those in need, stores dedicating hours for elderly shopping and many more. Let’s share these stories to encourage others. Imagine if we can make our response to this crisis our finest hour. Hopefully, we can look back and tell stories of how we came together as a team in our community, our state, our nation and across the world. Your contribution to the finest hour may seem small—but every small act of kindness adds up exponentially to save lives.
At MRO, we have an incredible team and a culture we’re so proud of. I recently shared with our team, that if they start to feel stressed, take a deep breath and practice mindfulness. One thing that always works for me is to name 5 things for which I’m grateful for right in this moment. It eases your anxiety. Rely only upon reputable sources for information. Unplug for a while to de-stress. Now is a great time to journal your daily thoughts. You’ll appreciate reading them in the future.
Interested in learning more? Request the playback of my recent webinar, Effective Leadership During COVID-19.