Between 2019 and 2023, large breaches stemming from hacking and IT incidents, including social engineering, increased by 89%. This underscores that cybersecurity is not just a technological challenge but also a human one—in fact, 68% of breaches examined by Verizon in a 2022–2023 data set involved attacks on people rather than technical vulnerabilities.
Ransomware threats in healthcare are growing. For instance, just look at three settlements from the Office for Civil Rights (OCR) occurring this past October. These enforcements mark the OCR's fifth, sixth, and seventh actions related to ransomware, and underscore the vital importance of proper cybersecurity safeguards.
Our goal at HCPro is to provide revenue cycle professionals like you with the most up-to-date information on changes that affect your organization. After reviewing our product line, we decided to make changes to the Revenue Cycle Advisor. The December 2024 issue of Briefings on HIPAA will be the last one as we sunset this publication to create an offer that focuses on Medicare regulations that affect your entire revenue cycle. For questions about your Revenue Cycle Advisor subscription, please contact customer service at 800-650-6787.
On September 26, the Office for Civil Rights announced a $250,000 settlement with Cascade Eye and Skin Centers, P.C., following a ransomware attack that exposed approximately 291,000 files containing electronic protected health information. We sat down for a Q&A with Jonathan Steele, a cybersecurity consultant at Steele Fortress and practicing attorney at Beerman Law, who shares key lessons learned from the Cascade Eye and Skin Centers breach.
It’s November (where did the time go?), but HIPAA is still HIPAA. So, we thought it might be a good time to dial it back and recall some of the basics. Here are some tips and tricks we’ve compiled for you as we approach 2025.
Our goal at HCPro is to provide revenue cycle professionals like you with the most up-to-date information on changes that affect your organization. After reviewing our product line, we decided to make changes to the Revenue Cycle Advisor. The December 2024 issue of Briefings on HIPAA will be the last one as we sunset this publication to create an offer that focuses on Medicare regulations that affect your entire revenue cycle. For questions about your Revenue Cycle Advisor subscription, please contact customer service at 800-650-6787.
In its August 2024 OCR Cybersecurity Newsletter, HHS talked about the importance of facility access controls. Here’s a breakdown of the newsletter followed by a Q&A with a cybersecurity expert.
We've compiled the most popular questions and answers from the past year in the area of HIPAA compliance and healthcare data security. Below are the top five questions and answers, featuring insights from experts Rebecca Herold, CDPSE, FIP, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI, CEO of Privacy & Security Brainiacs SaaS services, and Julia Huddleston, CIPP/US, CIPM, CCSFP, a principal from Apgar & Associates.
The Office for Civil Rights recently reached a $950,000 settlement with Heritage Valley Health System, Inc. for potential violations of the HIPAA Security Rule, following an OCR investigation after the health system experienced a ransomware attack in 2017. Learn what steps your organization can take to avoid violations of the HIPAA Security Rule and protect your electronic PHI.
Cyberattacks, as you might expect, aren’t going away. Paige Hanson, cofounder and head of communications and partnerships at SecureLabs Inc., summarizes the current landscape of cyberattacks and their impact on HIPAA compliance efforts.
Despite the number of security incidents that have occurred over the past few years or so—including cybersecurity breaches, phishing attacks, and malware—access to records still remains one of the top five complaints in HIPAA compliance.
Cybersecurity has dominated headlines recently with a series of significant breaches highlighting the vulnerabilities within the U.S. healthcare sector.
The 42 CFR Part 2 final rule brings substantial changes for HIPAA privacy compliance leaders, notably aligning the confidentiality of substance use disorder patient records with HIPAA standards.
The National Institute of Standards and Technology's (NIST) updated publication provides practical guidance and resources that can be used to help safeguard health information and better understand the security concepts discussed in the HIPAA Security Rule.
The Office for Civil Rights (OCR) recently issued updated guidance regarding the use of online tracking technologies, which is especially relevant due to the widespread adoption of these technologies across various digital platforms, including websites and mobile apps.
Providers have seen a 107% increase from 2018 to 2022 in reported breaches involving more than 500 people. This indicates a growing challenge in maintaining compliance and securing patient information, emphasizing the need for enhanced security measures and vigilance.
In a significant development underscoring the growing threat of cyberattacks in the healthcare sector, the Office for Civil Rights recently announced a settlement concerning a ransomware attack that compromised the protected health information of over 14,000 individuals.
A January report unveiled a staggering data leak dubbed the “Mother of All Breaches”, which encompassed data from numerous previous breaches, totaling approximately 12 terabytes and over 26 billion records.
OCR recently announced a significant settlement with a medical group that represents the first resolution of an investigation into a phishing cyberattack under HIPAA.
The Cybersecurity and Infrastructure Security Agency toolkit provides resources, training, and information to help organizations build a strong cybersecurity foundation and advance their defenses against threats.
The Office for Civil Rights has issued guidance on media access to protected health information that can serve as a resource to providers and patients.
A recently published government guide outlines defensive strategies, recommendations, and best practices to combat pervasive cyberthreats affecting critical infrastructure. It also identifies known vulnerabilities that providers can assess their networks for, thereby minimizing risks before intrusions occur.
HIPAA security compliance leaders should ensure that their organization’s sanction policies are well documented, transparent, understood by all workforce members, and applied consistently to reinforce a robust HIPAA compliance program.
The Office for Civil Rights recently issued two resources to help explain to patients the privacy and security risks associated with telehealth services, as related to personal health information.
HHS released two reports recently that provide in-depth insights and compliance tips to help healthcare covered entities contend with cybersecurity threats.
Healthcare covered entities continue to have trouble getting patients their medical records. Since 2019, when the Office for Civil Rights began its Right of Access initiative, the HIPAA privacy and security enforcer has settled 45 cases related to patient requests for medical records.
A recent settlement between the Office for Civil Rights and UnitedHealthcare serves as a stark reminder of the importance of HIPAA compliance and the right of patients to access their medical records in a timely manner.
Robust authentication processes are often the first line of defense against cyberthreats. A recent Office for Civil Rights Cybersecurity newsletter emphasizes the importance of strong authentication in safeguarding electronic protected health information (ePHI).
Government regulators that enforce HIPAA privacy and security compliance are doubling down this year on risk analysis and risk management as a primary avenue to safeguard protected health information.
In an era where digital transformation is reshaping industries, healthcare finds itself at the crossroads of innovation and privacy. Telehealth, a symbol of this transformation, promises unparalleled convenience and accessibility. Yet it also brings forth a myriad of challenges, especially concerning the protection of patient data.
Every click, swipe, and keystroke can lead to a breach in today’s digital healthcare landscape. Robust data protection procedures have never been more critical.
The conclusion of the COVID-19 public health emergency has led to the termination of the Office for Civil Rights’ relaxed enforcement and providers are in the midst of a 90-day transition period back to full compliance with the HIPAA rules for telehealth.
In this article, we will dissect the latest significant breach reported by the Office of Civil Rights. It involved MedEvolve Inc. and resulted in a $350,000 fine. We’ll explore the potential preventive strategies that healthcare entities can implement.
Learn which rules and regulations are changing as providers navigate the post-COVID-19 public health emergency transition period to full OCR compliance with HIPAA telehealth rules.
As the adoption of digital technologies, such as telehealth and electronic health records, increases, organizations face evolving cybersecurity threats that have the potential to compromise patient data and disrupt healthcare operations.
The Office for Civil Rights (OCR) reached another resolution in January during its ongoing effort to ensure the comprehensive enforcement of the HIPAA Privacy Rule’s right of access provision.
In this article, we continue our examination of HHS’ reports to Congress regarding HIPAA compliance and data from 2021, specifically focusing on the HIPAA Privacy, Security, and Breach Notification Rule Compliance report released in February.
In February, HHS published two reports covering HIPAA privacy and security compliance and breaches of protected health information to help HIPAA compliance privacy and security professionals better conduct their roles.
This month, we’ve compiled some questions for HIPAA security and privacy officers to consider when trying to strengthen compliance in their organizations.
OCR released its “Improving Cybersecurity Posture in Healthcare for 2022” news bulletin last February, noting that healthcare organizations are prime targets for cyberattacks due to the sensitive nature of the data they hold.
The Office for Civil Rights (OCR) has announced two resolutions for potential HIPAA violations two months into 2023. These resolutions fall at opposite ends of the HIPAA compliance spectrum—cybersecurity and medical record access. Each is focused on the goal of protecting patient privacy.
The Office for Civil Rights finished 2022 with some enforcement action relating to the HIPAA Security and Privacy Rule enforcer’s Right of Access Initiative.
When it comes to HIPAA compliance, there’s always something new to learn. In 2022, Paubox, a security provider, reported more than 3 million people were affected by breaches involving electronic medical records.
The Office for Civil Rights (OCR) has had a busy fall putting out guidance and proposing rule changes in some crucial areas of HIPAA compliance. Here’s a breakdown of some of its current operations.
In September, the Office for Civil Rights (OCR) released its fall 2022 data for enforcement. Covered entities (CE) and business associates (BA) can review this data to determine areas that most commonly trigger enforcement on behalf of the government’s regulator for the HIPAA Privacy and Security rules.
Those in charge of overseeing HIPAA compliance at their healthcare organizations need to have a firm understanding of privacy laws outside of the healthcare arena.
The Office for Civil Rights (OCR) issued guidance on audio-only telehealth in June. This guidance provides helpful tips on how covered entities (CE) can use remote communication technologies to provide audio-only telehealth services in a manner consistent with HIPAA requirements.
Now that the fourth quarter has arrived, things are winding down for 2022. This is a good time to reflect on the past year of HIPAA compliance and prepare for 2023. Here is a roundup of HIPAA topics and some actionable tips for compliance.
In early June, Congress released a bipartisan draft bill called the American Data Privacy and Protection Act. The goal of this bill is to create a regulation that organizations in any industry would need to accord with compliance. On the surface, this sounds great, but in reality, it is unrealistic.
In August, the Office for Civil Rights (OCR) announced a settlement with New England Dermatology P.C., known as New England Dermatology and Laser Center, over the improper disposal of PHI, which is a potential HIPAA Privacy Rule violation.
Starting on October 6, the definition of electronic health information (EHI) will include “the entire scope of the EHI definition [i.e., ePHI that is or would be in a Designated Record Set (DRS)].”
The 21st Century Cures Act fundamentally changes how patients can interact with their health information — and October 6 is a significant milestone for these changes.
The Office for Civil Rights (OCR) recently announced version 3.3 of the HHS Security Risk Assessment Tool. According to OCR officials, this tool is designed to aid small and medium-sized healthcare organizations in their efforts to assess security risks.
It may be summer, but there is no vacation when it comes to HIPAA privacy and security. In fact, OCR was extremely busy and active with enforcement in July.
In June, the Supreme Court overturned Roe v. Wade, the decades-old decision on abortion rights and it was enough to have OCR weigh in with some guidance on privacy regulations. OCR issued guidance June 29 to protect patient privacy in the wake of the decision.
The growing number of cybersecurity threats is a significant concern, driving the need for enhanced safeguards of electronic protected health information, according to the Office for Civil Rights.
To better prepare for the rest of the year, here are some topical privacy and security compliance tips and reminders as we surge toward a strong second half of 2022.
JayHodes, president of HIPAA compliance company Colington Consulting in Burke, Virginia, sees eight specific challenges organizations face when trying to comply with HIPAA regulations.
OCR released a report on audits it conducted. It found that most CEs failed to meet the requirements for selected provisions in the audit. One of the first steps to improving is learning more about audits and assessments, which are trouble spots for entities.
As part of our continuing series, BOH caught up with Rebecca Herold, CDPSE, FIP, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI, to ask the privacy expert HIPAA compliance questions.
Martin Fisher has been the director of information security and chief information security officer for Atlanta-based Northside Hospital for more than eight years. He discusses what’s top of mind in his role and what challenges lay ahead.
Dave Bailey, CISSP, knows firsthand what challenges arise daily for healthcare security officials. He explains what is on the minds of CIOs/CISOs and the security lessons learned from the COVID-19 pandemic.
