Q: We recently took a survey and many of our employees admitted to saving their passwords in a Word® document or a Notes® file on their phone. Is this riskier than having passwords written down on paper and stored in a safe place at work or home? How can we discourage employees from writing down their passwords anywhere?
HHS and the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized the 42 CFR Part 2 Revised Rule in July, implementing updated regulations governing the confidentiality of patient records for the treatment of substance use disorders (SUD).
As hospitals and health systems continue to learn about the growing number of security threats and their consequences, the role of the chief information security officer (CISO) has become more significant.
Q: Many organizations have outsourced their PHI disposal for years. With coronavirus limiting the number of people coming in and out of medical facilities, what are your suggestions for organizations that now have to take care of PHI disposal themselves? What are the most important things to remember when handling this process?
The novel coronavirus (COVID-19) pandemic upended the U.S. healthcare system in innumerable ways. Experts believe the new post-COVID-19 normal will not be exactly the same as it was pre-pandemic. For one, telehealth is here to stay.
An organization’s privacy and security policies are only as effective as its training. All the right work can be done at the top level, but if the messages are not clearly disseminated to staff, an organization can find itself in a difficult position.
As the healthcare industry continues to transition from face-to-face appointments to telehealth during the novel coronavirus (COVID-19) pandemic, reports of video conference hijacking are emerging nationwide.
When the severity of the novel coronavirus (COVID-19) became apparent in March, employers across the country sent their workers home. Nonclinical employees of healthcare organizations were among those who were forced to create a new office space in the living room or kitchen.
Healthcare organizations can discover breaches in a variety of ways. Unfortunately, some organizations may not be aware that they have been breached until an outside party contacts them with the two dreaded words: dark web.
Q: Many media organizations are filming outside the premises or sometimes even in the hospital. When they interview hospital leaders and health officials, this can be done with things happening in the background. How can hospitals prevent accidental disclosures—a patient’s face showing up in the background during an interview, for example? What should the rules be for media looking to film at the facility?
As soon as the novel coronavirus (COVID-19) entered the United States, reports began to surface detailing an increased rate of cyberattacks against healthcare entities. That trend is unlikely to change anytime soon.
Q: Like other hospitals, we have had many patients transported via ambulance with COVID-19 symptoms. Once these patients are tested for the virus, are we permitted under HIPAA to disclose their test results to the first responders who treated them and brought them to the hospital? Should the first responders be made aware when they have interacted with a patient who has tested positive?
Q: I understand that disclosures of PHI can be made to law enforcement without patient authorization when the patient is suspected of committing a crime. What disclosures are permitted when law enforcement officials are investigating another person of a crime and a patient’s PHI may or may not provide evidence?
Hospitals, health systems, and long-term care facilities are being challenged by census workers requesting information about patients and residents to conduct an accurate census. Some have gone as far as stating that they have a right to access hospital electronic health records (EHR).
As employers prepare for possible impacts of the Coronavirus (COVID-19), one important step is to review the types of health disclosures that the Health Insurance Portability and Accountability Act (HIPAA) does and does not allow in such times of crisis.
Healthcare facilities across the world are faced with myriad challenges as they aim to diagnose and treat cases of COVID-19. HHS and the Office for Civil Rights (OCR) have instituted several changes during the nationwide public health emergency, some of which modify HIPAA laws and directly impact healthcare organizations around the country.
Q: HHS recently issued a notice that fee limitations will apply only to an individual’s request for access to their own records and not to an individual’s request to transmit records to a third party. Will limitations imposed by state law now apply?
As the novel coronavirus remains a threat across the globe, healthcare organizations should brush up on procedures for handling and sharing protected health information (PHI) during the outbreak of an infectious disease.
Front-office staff in facilities can see frequent turnover, requiring frequent training in order to keep them up to date. Use the following information to ensure staff is prepared for handing PHI and responding to patient requests.
A large HIPAA breach settlement after a hospital system’s alleged failure to follow the feds’ suggested solution is a reminder that when it comes to enforcement, the government is holding all the cards.
While the Privacy Rule applies to various types of health information, the Security Rule only applies to electronic protected health information (ePHI). The major goal of the Security Rule is to ensure proper safeguards are in place for the storing, maintaining, and transmission of ePHI.
With 2020 underway, it’s a good time for facilities to review the standards set forth by the rules that define HIPAA regulations. Without a thorough understanding throughout an organization, it can be easy for violations to occur.
Behavioral health facilities and professionals experience some unique challenges when it comes to handling PHI and patient requests. The following article offers tips for handling those challenges and scenarios to consider.
When voluntary disclosure for overpayments is an option rather than an obligation, the provider may encounter diverse opinions among its decision-makers. Some may express a desire to bring the potential problem to the attention of the government and attempt to resolve the matter quickly without incurring criminal penalties, civil fines, or exclusions.
The application of attorney-client privilege is somewhat more complicated in situations where the client is a corporation. Although corporations are entitled to the same protection of confidentiality as noncorporate clients, the application of the privilege often turns on which corporate officials and employees sufficiently personify the corporation as a client.
In many companies, the compliance officer is the first to become aware of a potential compliance problem that could lead to civil or criminal liability. A best practice is to give the compliance officer the authority to conduct internal investigations.
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules. Failing to properly manage and oversee remote access to and the protection of health information can be costly, as the following three cases demonstrate.
In addition to physical and technical safeguards, the HIPAA Security Rule requires covered entities and business associates to implement administrative protections, including workforce training and management.
Working remotely has many benefits for employers and employees. A Stanford study found that working from home boosts employee productivity, which was attributed to taking fewer breaks and sick days and working in quieter, more convenient work environments.
In an interview with Briefings on HIPAA, Tim Noonan, deputy director for the Division of Health Information Privacy at OCR, discussed cybersecurity and trends in reports of unsecured PHI to OCR. This article includes the highlights.
OCR meant what it said in February of this year about patients’ right of access to their medical records. The HIPAA Privacy and Security Rule enforcer issued its first enforcement action under its “Right of Access Initiative” in September.
Employees need to know what to do and what not to do when it comes to ensuring protected health information (PHI) remains secure. That’s where TeachPrivacy comes in as an excellent resource for quality staff training.
Many healthcare organizations aren’t doing a great job assessing the HIPAA risks associated with third parties. Some are having a hard time devoting resources. And many are worried that their current manual risk management processes cannot keep pace with cyberthreats.
Patients are getting emboldened in the digital age and want quicker, more efficient—immediate, really—access to medical records. Further, the government is reinforcing existing regulations and creating new rules around data sharing that require entities to make healthcare records more accessible and deliver records to patients in their desired electronic format. Technology innovation has made this much easier for healthcare facilities to accomplish.
OCR in 2013, through the Health Information Technology for Economic and Clinical Health (HITECH) Ac,t issued a final rule identifying provisions of the HIPAA rules that apply directly to business associates (BA) and those provisions for which BAs are directly liable.
HIPAA training is required by the HIPAA rules, under § 164.530, Administrative requirements. But just because it’s required doesn’t mean it has to be repetitive, boring, or unappealing. There are ways to make your healthcare staff excited about HIPAA training. At the very least, you can do your part to make sure they’re engaged.
Blockchain technology solutions have recently become a hot topic in the healthcare industry. Before considering blockchain as a future security solution, it is important to understand what it is, how it could work for medical facilities, and what the risks and benefits are.
It can be impractical for medical researchers to seek authorization from all the patients whose medical records are sought for a study. That’s why HIPAA allows researchers to use de-identified PHI from records without individual authorization.
In June 2018, the state of California passed the California Consumer Privacy Act of 2018 (CaCPA), which has implications for healthcare professionals doing business in California, but with other states proposing similar bills, it’s worth taking a look to see what these privacy laws mean for HIPAA compliance and privacy more broadly.
HIPAA professionals all work to prevent their facilities from getting fined by OCR for violations of HIPAA’s Privacy, Security, and Breach Notification rules, but you need to stay up to date on what those penalties could be and where OCR stands on enforcement.
Care coordination has been at the heart of recent healthcare redesign efforts, which includes integrating primary care with behavioral and mental healthcare, but misunderstandings about how and when HIPAA applies can lead to unnecessary delays and leave organizations vulnerable to compliance risks.
If a lawyer hits you with a subpoena for a patient’s protected health information, don’t panic—or you may not only violate the patient’s privacy rights under HIPAA, but also be subject to civil action under state law.
There are fewer hoops to jump through when another provider requests a practice’s patient records than when an attorney requests them, but the requesting providers don’t have an automatic right to those records, and you can’t just hand them over.
Once you understand the basics of privacy and disclosure of PHI under HIPAA, strive to keep staff trained. According to Section 164.530 (b) of the Privacy Rule, a covered entity must train all members of their workforce on the policies and procedures with respect to PHI as necessary and appropriate.
Hospital mergers and acquisitions remain the trend, and many hospital systems and other healthcare organizations cover multiple states, so understanding and keeping track of different state privacy laws can get complicated.
In this month's Product Watch, we look at a managed service provider (MSP) that offers HIPAA-compliant MSP services, managed security services, disaster recovery sites, and the technical support to help covered entities and business associates breathe easier
As telehealth expands and technology improves, there are an increasing number of options for communication between healthcare providers and patients as well as between providers, but such services raise concerns for HIPAA compliance due to the method of transmission and issues of security compliance.
Not only does your organization need appropriate policies and procedures in place to comply with HIPAA, you also need to make sure that staff members follow those policies and procedures. It’s not an easy task, and each organization has its own way of auditing compliance.
In recent months, OCR has expressed concern that providers and other covered entities may be reluctant to inform and involve the loved ones of individuals facing health crises like opioid use disorder for fear of violating HIPAA. Here, we look at some common misconceptions about privacy under HIPAA and point to the information that patients and families need to know.
In this month's Product Watch, we look at a phishing and social engineering threat simulator that includes security awareness training intended to mitigate the threat of phishing and the risk of a data breach.
The healthcare sector is a frequent target of cyberattacks due to the value of PHI, which is the target of financial identity theft and medical identity theft. To safeguard PHI, you need to know the differences among phishing, ransomware, and DoS attacks.
In December, HHS Office for Civil Rights (OCR) released a request for information seeking input from the public in order to identify provisions of HIPAA that may impede value-based care or limit care coordination among individuals and covered entities, and which do not meaningfully contribute to protecting the privacy and security of protected health information.
In this month's HIPAA Q&A, we answer your questions about sending unencrypted emails to the right recipient, discussing patients with colleagues, scheduling appointments for spouses, and filing complaints against insurance companies.
2018 was a year of large settlements and high-volume data breaches. According to OCR’s breach report portal, among the more than 250 reported data breaches under investigation, 14 incidents exposed the PHI of more than 100,000 individuals each.
The opioid crisis in the U.S. continues to touch on issues of patient rights and privacy. In October, OCR launched an education campaign about civil rights protections that include specific guidelines for covered entities under HIPAA
In this month's Product Watch, we look at a training service that uses modules focused on specific HIPAA requirements such as business associate management, staff involvement in conducting a risk analysis, and mobile device security.
There is a lot of pressure on hospitals and other healthcare providers to improve the patient experience by utilizing mobile health apps to make it easier to communicate with patients and their families. But with the pros of mobile apps come cons.
As healthcare becomes more mobile, there are increasing concerns with device security, particularly when physicians and other healthcare professionals use their personal mobile devices to do their work and to communicate with patients.
Third-party business associates and medical device vendors play a huge role in healthcare, and as healthcare becomes more network-reliant, security for medical devices and third-party vendors is critical.
HIPAA allows patients to request amendments to their medical records. Facilities are not required to automatically make whatever change a patient requests, but they must allow patients to make the requests and follow a specific process for handling them.
Millions of medical records are sent to insurance companies every year by hospital and health system business office personnel to expedite claims payment, respond to payer audits, or fulfill other payer denial requests for information. And any time medical records are handled, HIPAA concerns come into play.