TEXAS HB 300 
         HIPAA made EASY

Blog

Dental Office Under Attack - How to Avoid being Held to Ransom
8th August 2015

Let’s talk about a big “win” for patients first:  The new HIPAA Omnibus Rules aggressively protect patient records. 

These rules apply to the dental office setting. All Dental offices must comply because these rules apply to the dental office setting. The mandatory laws ensure the protection of virtual electronic files, meaning PHI, or Protected Health Information of patients, during business hours, but also in the case of a natural disaster.




According to a
 NY Times article from 2013 that discusses one report by Verizon on data breaches, “no matter the size of the organization — large, small, government agencies, banks, restaurants, retailers — people are stealing data from a range of different organizations and it’s a problem everyone has to deal with.”  Data theft and corruption by hackers is a big problem, and, no one – not even “a one-computer dental office” – is immune to hackers. 

The prospect of a data breach is a scary one; it can not only discourage potential future business from new customers due to inherent distrust regarding the protection you offer for their information, but it can cripple current business.

A comprehensive training program for your employees is one of the best deterrents against hackers. This is because, in case of a hacking attack, each employee will know what to do. Plus, the dental office will have a resource to call in case of such an emergency. 

An Expert HIPPA Coaching Team can help your dental office put such measures in place by using products like
 HIPPA Made Easy. To make sure that your dental office is in compliance with the new HIPPA Omnibus Rules, including protocols for digital privacy and breaches, programs like this offer all the training tools, support checklists and guided HIPAA expert advice needed.  However, only the knowledge of how to manage a data breach is not sufficient.  To truly understand its effects, look at a recent example of how one dental practice was hacked twice in one week. The example is of Dr. Lloyd Walling in Burnsville Minnesota, whose office was hacked twice in one week.

The hackers actions resulted in blocking the doctor’s access to his patient database, including their files, personal information, and insurance information.  The hackers then demanded $1,000 in ransom money, and followed up later by asking for $600 more.  The dentist $70,000 for the electronic system that he implemented due to state mandates so he could be in compliance with the law.  The ransom paled in comparison to the cost of protection. But, what if the hackers wanted more? This is concrete evidence that what the NY Times article stated about hacking is true: no one is safe from hackers no matter how much they pay to protect their patient’s information.  Your dental office can still be hacked regardless of how secure a system you think you have or how much you paid for it.  Naturally, the strain put on a dental office if this happens is enormous and unbearable. It could potentially break the back of a small one dentist office.

According to what he told a local news station, Dr. Walling’s case, the whole system was shut down. He had no access to the daily schedules and could not even take X-rays. The most frightening part of the ordeal for the Dentist was the fact that the hackers broke through two protection systems to achieve access to the patient’s database.  According to the hardware provider for this dentist office, 20 out of 60 dental office clients had fallen victim to ransomware attacks in the last year.  For those who are not familiar with this term, “ransomware” occurs when hackers freeze the patient database and initiate ransom demands. Ransomware is spread a couple of ways.

Phishing emails are what are usually used to spread ransomware. Without the person ever knowing it, the emails contain attachments or links that, when clicked on or opened, install the ransomware or malware onto the computer.   Normal anti-virus protection programs are not thoroughly equipped to protect computers from these kinds of attacks.  In Dr. Walling’s case, the malware or crypto-ransomware as it is officially known makes sensitive data inaccessible to anyone but the hacker who installed it.  A message will appear on the screen stating that the computer has been locked down or encrypted, and that a ransom must be paid to restore access, If you are ever a victim of this kind of attack.

The Homeland Security website lists examples of these pop-up messages; for example, "Your computer has been infected with a virus. Click here to resolve the issue," or "Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100- $1000 fine."  The department of Homeland Security recommends that victims should not pay the ransom because there is no guarantee that they will recover their system. Dr.Walling, however, decided to pay the ransom and regained control over his system, but this may be an exception.


The bottom-line here is that all dental offices should have a system in place to deal with such an attack.  Because an attack can occur without prior warning, it is critical for all employees to be knowledgeable of what to do if it happens.  Plus having a resource--- a HIPAA Expert, available 24/ 7 to support your team through difficult times is essential. Having an ally on your side (like ‘HIPAA made Easy’) that can provide complete training and timely advise, will provide answers and peace-of-mind, in times of distress. 


Hackers always seem to be one step ahead of the security technologies, despite all of the protective layers one can create to guard against such an attack. The last thing that any dental practice needs is to be attacked and be unable to do business – this costs the office the trust of its customers as well as money for the practice, two assets that are very difficult to recover.  Do not let a ransomware attack hold your dental practice back.  Just like you would ask your patients to have a plan to keep to a healthy diet to help bolster their immune system, you too must have a plan to keep your office up and running should a virtual disease affect it.

For free advice and a full list of ‘HIPAA made Easy’ training packages visit:

http://hb300.net/
_____________________________________________________________

Breaking News: HB300 
Dec. 15th, 2014
__________________________________________________________________________________________________________


Why Does Texas Have Additional HIPAA Requirements?
Nov. 22nd, 2014

The Texas Legislature passed House Bill 300 (HB 300) during its 82nd regular session to amend the Texas Medical Privacy Act (TMPA) and other state privacy/security laws. HB 300 offers more stringent protections for protected health information (PHI) than its federal counterparts, HIPAA and the HITECH Act. Among other things, HB 300 mandates employee training on state and federal laws regarding PHI that is tailored to each employee’s scope of employment. It also puts in place new requirements for notices to patients regarding electronic disclosure of PHI.

What Are The Consequences?
Covered entities that wrongfully disclose a patient’s PHI face increased civil penalties under HB 300, ranging from $5,000 to $1.5 million per year. To determine the penalty amount, a court may consider six factors:
  1. the seriousness of the violation
  2. the entity’s compliance history
  3. the risks of harm to the patient
  4. whether the practice was certified by the Texas Health Services Authority as in past compliance with its standards
  5. the amount necessary to deter future violations
  6. efforts made to correct the violation. 
Additionally, Texas law includes its own distinct provisions and penalties regarding breaches of computerized data containing "sensitive" personal information. Failure to notify individuals under state law (on or after Sept. 1, 2012) may result in penalties that were heightened under HB 300, including an additional $100 state penalty per individual for each day the notice is not sent, not to exceed $250,000. State penalties are levied in addition to any penalties for violating federal laws. 

What Are The Next Steps?
First, update policies and procedures to incorporate changes resulting from HB 300. This includes providing the newly required notice to an individual for whom the covered entity creates or receives PHI if the PHI is subject to electronic disclosure.

Second, develop and implement new employee training on state and federal laws concerning PHI for privacy/security compliance. New employees must receive training as it relates to the entity’s particular course of business and the employee’s scope of employment within 60 days of hire.

Third, review your training schedule for existing employees. HB 300 also requires ongoing training on state and federal PHI at least once every two years. Employees are required to sign, electronically or in writing, a statement verifying his or her attendance at the training program. The covered entity is required to maintain the signed statement.

_________________________________________________________________________________________________________

Which Employees Need to Complete HB300?
Nov. 7th, 2014


What is actually required?
   
Each employee needs to have a certificate or worksheet proving that they have been trained and are aware of their obligation to protect patient PHI, know the correct protocols when handling this information over the internet and in electronic format or on computers, telephones, etc.  There also needs to be written protocols in place within your office that dictate your handling of patient PHI.  And of course, all involved need to understand the fines & punishments for breaches or violations of the HB 300 guidelines.

Who Must Comply? 
All Texas healthcare facilities must comply with these guidelines and have written proof that they are doing so!   This includes: 

  • Healthcare Facilities 
  • Clinics 
  • Employees handling PHI, ePHI & HER (Protected Health Info, electronic PHI, Electronic Health Records) 
  • even IT Techs that maintaining healthcare related internet websites

How often does this have to be done?  
Texans have to comply in (3) ways:

  •          Validate Employee Training on HB300 for:  Patient PHI, HER & ePHI
  •          Train any New Employees within 60 days of their hire
  •          Have written Office Protocols for the HB300 Policies within your Office
  •          Update the HB300 Program— every 2 years and show Proof-of-Employee Training

You know what they say”  “Everything’s Bigger in Texas”!  Apparently HIPAA law is a lot bigger.  Don’t mess with Texas HIPAA Auditors!   Get compliant with a reliable HIPAA company to assist you. (One that knows their Texas HB 300 law.)

Written by Jill Obrochta RHD BS, OSHA & HIPAA Researcher & Trainer of DentalEnhancements.com, home of OSHA made EASY™ & HIPAA made EASY™ Compliance Solutions. Jill can be reached with OSHA or HIPAA Compliance questions at: jill@dentalenhancements.com or 941-587-2864

__________________________________________________________________________________________________________

Why does my healthcare facility need Texas HB300?
Oct. 24th, 2014

Texas HB300 (Texas House Bill 300) is a bill that was passed in Texas in 2011 that amended several state laws, which address privacy. 
It has resulted in far stricter requirements for patient privacy than those found under HIPAA. 

Texas HB300 went into full effect on September 1, 2012 and was later amended in June 2013. Under one of the Texas privacy laws that was altered by Texas HB300, all healthcare employees are presently mandated to be specially trained on state and government protection laws anytime a privacy law is changed or instituted that affects a representative's employment obligations but this requirement must be met no later than one year after the new law becomes effective. Even newly hired employees are obliged to be trained inside 90 days of the employee’s contract date. 

Who must comply with Texas HB300?
Under one of the laws that was amended by Texas HB300, the definition of a Covered Entity is much broader than the definition found under HIPAA and includes any individual or organization that:
  • Engages in the practice of assembling, collecting, analyzing, using, evaluating, storing or transmitting PHI and includes any person who maintains an Internet site
  • Comes into the possession of PHI
  • Obtains or stores PHI
  • Is an employee, agent or contractor of a person described in 1-3 above if they create, receive, obtain, maintain, use or transmits PHI

Certain entities are exempt from complying with Texas HB300.  For a list of exempt entities, please refer to Tex. Health & Safety Code §181.001, et seq. or contact Dental Enhancements.

Why is HIPAA and Texas Privacy Law training important to my healthcare facility?
HIPAA and Texas House Bill 300 mandates Covered Entities and Business Associates to train all of their employees on federal and state privacy laws. To minimize your risk of sever penalties and fines for violations under HIPAA and relevant Texas privacy law, you and your team must complete specialized HIPAA/Texas privacy law training. Furthermore, proper HB300 and HIPAA training will help you and your employees will also learn how to better protect your patients and clients’ protected health and sensitive personal information. 

Written by Jill Obrochta RHD BS, OSHA & HIPAA Researcher & Trainer of DentalENhancements.com, home of OSHA made EASY™ & HIPAA made EASY™ Compliance Solutions.
Jill can be reached with OSHA or HIPAA Compliance questions at: jill@dentalenhancements.com or 941-587-2864

__________________________________________________________________________________________________

What is Texas H.B. 300?
Oct 15th, 2014

Few things are as private or essential as one's medicinal records. It is not amazing that there are far-reaching government and state enactments securing patient protection. Almost everybody is acquainted with the government Health Insurance Portability and Accountability Act (HIPAA).

Worried that HIPAA did not give enough shields to ensured wellbeing data (PHI), the Texas governing body passed H.B. 300 in 2011. This law contains considerably more stringent regulation than the government plan, and went in action September 1, 2012. Since H.B. 300 has potential consequences for any substance that comes into contact with PHI (counting law offices), it is imperative that both lawyers and customers comprehend and plan for its effect.

"Covered Entities"
H.B. 300 obliges that "covered entities" meet a few new prerequisites in regards to the protection and security of PHI. The current government and Texas laws have diverse meanings of what constitutes a "covered entities." Generally, HIPAA considers medicinal services arrangements and health awareness suppliers to be " covered entities." The Texas definition is more sweeping, characterizing a " covered entities " as any individual, business or association that:

  • engages in the practice of assembling, collecting, analyzing, storing or transmitting PHI;
  • comes into the possession of PHI;
  • obtains or stores PHI; or
  • is an employee, agent, or contractor of a person described in numbers 1-3 above (if they create, receive, obtain, maintain, use or transmit PHI). Tex. Health and Safety Code, §181.001(b)(2).

Hence, numerous organizations and people at present absolved from HIPAA might soon be liable to the prerequisites of H.B. 300. In Texas, it is likely that law offices, record stockpiling and transfer organizations, bookkeeping firms, inspectors, and of course dentist offices may be viewed as "covered entities." Accordingly, every business and association ought to break down its contacts with PHI and comprehend its capability to be a "covered entities" under Texas law. 

New Requirements and Potential Penalties
People and substances dead set to be "covered entities" under H.B. 300 will confront a few new prerequisites, including: new preparing for representatives with respect to PHI; extra patient rights identified with electronic restorative records; and the potential for expanded punishments for resistance.

Representative Training
Under the new Texas law, "covered entities" must give continuous, redid preparing for their representatives with respect to both government and state law identified with the insurance of PHI. The preparation ought to be customized for the worker's obligations and the substance's contacts with PHI. Every new worker must finish the preparation inside 60 days after his or her contract date, and the preparation must be rehashed at any rate once at regular intervals. Prominently, under HIPAA, preparing is just needed inside a sensible measure of time in the wake of contracting and when there are any material changes in protection arrangements. Under both HIPAA and H.B. 300, "covered entities" must keep up records of each representative's preparation participation.

Patient Rights Regarding Electronic Medical Records
As of September 2012, "covered entities" must give patients electronic duplicates of their electronic wellbeing records inside 15 business days of the patient’s composed appeal (under HIPAA, records must be given inside 30 days of a solicitation). Furthermore, the new Texas law requires the Texas Attorney General to create a site that clarifies understanding's security rights under Texas and government law. Additionally contained in H.B. 300 are procurements that preclude the offer of PHI and oblige notice to patients in regards to the electronic divulgence of PHI.

Expanded Penalties
"Covered entities" that wrongfully reveal PHI will face expanded common punishments under H.B. 300, notwithstanding any punishments for damaging government laws. The new Texas law takes into consideration punishments extending from $5,000 to $1.5 million for every year. To focus the punishment sum, H.B. 300 rundowns five elements a court may consider:

1) the reality of the infringement;

2) the substance's consistence history;

3) the dangers of mischief to the patient;

4) the sum important to stop future infringement; and

5) deliberations made to rectify the infringement.

Be H.B. 300 Compliant
This article just gives a flash into a couple of the prerequisites of the new Texas law. Any individual, business or association that may be viewed as a "covered entities" ought to completely examine H.B. 300 to comprehend and plan for the new prerequisites. 

Written by Jill Obrochta RHD BS, OSHA & HIPAA Researcher & Trainer of DentalENhancements.com, home of OSHA made EASY™ & HIPAA made EASY™ Compliance Solutions.
Jill can be reached with OSHA or HIPAA Compliance questions at: jill@dentalenhancements.com or 941-587-2864

Website Builder