Telehealth provides a number of benefits to patients and providers, such as increased access to care, improved efficiency, and increased communication. However, if you’re using a video conferencing service that is not HIPAA-compliant, you are putting your patients’ protected health information in jeopardy and reducing your credibility as a trustworthy health provider.
Consequences of a HIPAA Violation: HIPAA violations carry a number of potential consequences that depend on the size of the breach. They can include:
- Immediate notification to affected parties
- Media notification
- Notification to the Secretary of Health and Human Services
- Permanent public record of the breach
- Loss of credibility
Potential civil fines range from $100 per violation to $50,000 per violation, up to $1.5 million per year. While these amounts might have a smaller impact on a large hospital group, the penalties can be staggering for smaller clinics and businesses. In addition to the financial penalty, the negative press of a HIPAA violation reported via the media or on the Health and Human Services site can cost you the trust and business of current and future patients.
Impact on Patients: Your business isn’t the only thing impacted by a HIPAA violation. Your patients, whose protected health information was put at risk, are impacted significantly as well. Their sensitive information, which a patient should have full control over, is now public in a number of damaging ways. One HIPAA breach in 2014 resulted in an individual’s HIV status, mental health status, and sexual orientation–amongst other things–being faxed directly to his or her employer.
Good patient care requires that medical providers protect their patients’ private health information. This includes using a HIPAA-compliant teleconferencing service if you’re engaging in telehealth practices. Contact us today to get more information on how we can help meet all your telehealth needs simply and securely.…Read More
Telemedicine is growing in popularity across numerous industries. One of the most beneficial uses of this technology occurs within the United States prison system. This innovative tech is changing the way we engage with healthcare, particularly in the areas of mental health. Prison operators recognize the enormous benefits of Telemedicine. Here, we examine how state prisons use Telemedicine to improve care and reduce costs.
Improved Behavioral Healthcare
The mental health of inmates is a primary concern to prison operators. The Atlantic reports that 55% of male inmates and 78% of female inmates within the US state prison systems are mentally ill. Some people believe treatment for these issues would have reduced the chance of many individuals becoming incarcerated in the first place. Properly treating mental disorders could then, lead to lower recidivism rates, and it certainly creates a safer environment for guards and inmates. Telemedicine is more effective and efficient than traditional treatment. It allows mental health professionals to see back-to-back patients in a variety of locations. Additionally, if an inmate needs immediate assistance, he or she has quick access to treatment as there is no need for a professional to travel to the prison /or transport the inmate to the doctor. This is extremely useful when an inmate becomes agitated or experiences a serious mental “breakdown.” It is also important to note that many behavioral healthcare professionals are simply uncomfortable entering a prison, and therefore, do not provide services to prison inmates. With Telemedicine, professionals can treat patients from the comfort of their own home or office. Furthermore, scheduling appointments is a simple process, and doctors can easily follow-up with patients.
Prison operators often struggle to stay within budget. It is difficult to meet all the needs of inmates without exceeding fund limitations. The Vera Institute of Justice estimates the annual cost of incarcerating, a person in the US averages $30, 000-$60,000. Telemedicine helps reduce the cost of behavioral health. Paying a psychiatrist to travel long distances is quite expensive. Alternatively, transporting prisoners to healthcare professionals raises safety concerns, as well as increasing costs. With the large percentage of inmates needing psychiatric care, the compounded cost saving of using Telemedicine is enormous.
Safety and security are additional concerns for prison operators. As we briefly mentioned in the sections above, Telemedicine helps create a safer environment for everyone. By properly treating mental illness, inmates are less likely to become violent or create problems for guards and other prisoners. Let’s imagine a common scenario where an inmate needs a change in medication. He is upset and acting out. It might take a week or longer for him to see a psychiatrist with the traditional methods of care. During this waiting period, things could go terribly wrong as he grows increasingly agitated. However, with Telemedicine, he can see a doctor within hours, rather than weeks. His medication is quickly switched, and the situation is diffused immediately. Additionally, security risks are lowered by eliminating the need for transportation to and from psychiatric facilities. The importance of these benefits cannot be understated. The improved safety implications are far-reaching within the prison system.
Telemedicine is increasingly gaining traction as state laws change to meet the needs of various medical use cases. The ability to access behavioral health professionals quickly and easily is shifting mental healthcare as we know it. Not only are states becoming more inclusive, one of SecureVideo’s main priorities is an easy and pleasant user experience for all with a 24/7 support team to back it up.
Contact us for more information.…Read More
Telemedicine services are an increasingly popular amenity for healthcare providers to offer patients, but unless the video service used is specifically developed for healthcare providers, it is likely in violation of HIPAA and could result in sizable fines.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains two rules that dictate how healthcare providers must protect their patients’ information. This includes any interactions via video conferencing.
- Privacy Rule
The Privacy Rulerequires that healthcare providers use administrative, physical, and technical safeguards to protect a patient’s health information, whether it be in written, oral, or electronic form. However, the rule is deliberately flexible so that health providers can make their own determinations on safeguards that best match the needs of their practices.
- Security Rule
The Security Ruleis focused solely on electronic records and dictates the implementation of security measures to ensure that those records remain private. The two rules are closely related, with the Security Rule adding additional protections on top of those mandated by the Privacy Rule.
HIPAA is enforced by the Health and Human Services Office for Civil Rights (OCR), which investigates potential violations and levies fines. In 2009, OCR’s ability to enforce HIPPA was strengthened with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which increased potential fines and created four tiers of penalty amounts from $100 to $1.5 million per violation. In addition, the HITECH Act also bars organizations from using the defense that they are ignorant of HIPAA rules in order to avoid penalties.
Why Act Now?
HIPAA allows healthcare providers to make security decisions based on risk analyses. In a risk analysis between using a non-HIPAA-compliant video service and a HIPAA-compliant service, there would be few, if any, arguments for using the former over the latter.
While HIPAA-compliant services may not be free, they are relatively inexpensive, easy to install, and easy to use. Therefore, any healthcare provider not using a HIPAA-compliant service is liable to be investigated and fined by OCR for not taking appropriate measures to safeguard their patients’ protected health information.
Since 2003, OCR has investigated over 100,000 cases, levying over $75 million in fines. One of the top five compliance issues investigated was a lack of safeguards over electronic protected health information and the top two entities investigated have been general hospitals and private practices and physicians. OCR has and will take punitive action against healthcare providers of any size who do not safeguard their patients’ protected health information.
In addition to being fined, any healthcare provider that ends up on the HHS “Wall of Shame” has damaged their reputation. If a provider does not do everything possible to secure their patients’ protected health information, then not only are they in violation of HIPAA, they are violating their patients’ trust.
HIPAA-Compliant Video Conferencing
With many seeing telemedicine as the future of healthcare, it is essential that healthcare providers offering this service use a HIPAA-compliant video service with appropriate encryption and the ability to set user roles and permissions for staff members.
For further protection, that video service should also include a Business Associate Agreement, which states that any potential security breach or mishandling of protected health information on the service provider’s part is the liability of that provider, not the medical practice.
Protecting a patient’s health information should be a health provider’s top priority. Not only is it the law, it’s good business sense and the right thing to do.
SecureVideo is a HIPAA-compliant video service that securely connects patients and providers across the world. If you’re interested in learning more, contact us today.…Read More
Anyone handling protected health information (PHI), as defined under HIPAA, accepts a strong obligation to protect it. Transferring or storing it insecurely can be very costly. The Office of Civil Rights (OCR) collected penalties of over a million dollars six times in 2017 for violations. Five of these cases involved failure to protect electronic data.
Telehealth involves the storage and transmission of electronic protected health information (ePHI), and it has to be diligently protected. This requires risk assessments, data protection policies, and procedures that carry them out.
Memorial Healthcare Systems – $5.5 million
The largest assessment, $5.5 million, fell on Memorial Healthcare Systems, which operates six hospitals and other facilities in Florida. Unauthorized employees had access to ePHI through shared login credentials. The reasons for the huge fine included failure to review access controls and examine audit logs. Credentials cannot be shared.
OCR treats breaches severely when it finds that they’re the result of systematic neglect. An organization that suffers a data leak in spite of consistently good security practices might get only recommendations on improving them. One which is negligent, as in this case, could be made to give up a large amount of money and demonstrate improvement in its practices.
Children’s Medical Center of Dallas – $3.2 million
In second place, Children’s Medical Center of Dallas paid a civil penalty of $3.2 million. In 2009, it had lost an unencrypted BlackBerry device at an airport, containing ePHI on 3,800 people. In 2013, it lost an unencrypted laptop with ePHI on 2,462 people. OCR found its failure to encrypt devices that left the office was chronic and detrimental.
HHS’s press release cites CMC of Dallas as having”non-compliance over many years with multiple standards of the HIPAA security rule.” Once again, the failure to fix ongoing problems was a major factor in the amount levied.
CardioNet – $2.5 million
The third largest amount came in the first HIPAA settlement that involved wireless health services. CardioNet, which specializes in cardiac outpatient telemetry had to pay $2.5 million. While investigating the 2012 theft of a laptop from an employee’s car, OCR found CardioNet didn’t have any policies in final form for protecting ePHI. The lack of protection for mobile devices was a special concern. The required corrective action includes creating policies and procedures for protecting portable devices and storage media.
Memorial Hermann Health System – $2.4 million
The case of Memorial Hermann Health System is an odd one, showing that what would normally be acceptable disclosure can be forbidden under HIPAA. It cost MHHS $2.4 million for violating the Privacy Rule, putting it in fourth place.
In 2015, a patient at an MHHS clinic allegedly presented a fraudulent identification card. The staff called the police, who arrested the patient. Then MHHS issued a press release about the arrest, naming the patient. Under HIPAA rules, that’s illegal. The staff didn’t violate HIPAA by notifying the police and naming the accused person, but revealing the name to the public constituted disclosing PHI in the form of the patient’s name. This was the only penalty in the top six that didn’t involve electronic data security.
21st Century Oncology – $2.3 million
The case of 21st Century Oncology, a Florida provider of cancer care services, drew the fifth highest penalty: $2.3 million. This case started with two break-ins to 21 CO’s servers that resulted in the sale of data to an FBI informant. The breaches exposed confidential information on over 2 million people, including names, Social Security numbers, and diagnoses. OCR’s investigation found inadequate security protections and a lack of risk assessment procedures and activity reviews.
In May 2017, 21CO filed for Chapter 11 bankruptcy. It exited Chapter 11 status in January 2018.
MAPFRE – $2.2 million
Finally, MAPFRE Life Insurance Company of Puerto Rico agreed to pay $2.2 million for disclosure of ePHI. The starting incident was the theft of a USB drive from MAPFRE’s IT department. It contained names and Social Security numbers for 2,209 people. The OCR investigation found a lack of risk assessment plans and a failure to encrypt data. HHS reports that MAPFRE didn’t consistently encrypt portable data until almost three years after the theft. Its failure to implement corrective measures, after promising OCR that it would, was a factor in the heavy assessment.
As these cases show, data leaks will draw the attention of the OCR and can mean heavy financial penalties. Any discussion of patient information needs protection against thieves, accidents and even disasters. SecureVideo’s platform supports HIPAA-compliant videoconferencing and includes many features such as encrypted chat and file transfers. Contact us to learn how SecureVideo can help your organization provide secure and quality care to your patients.…Read More