February 17, 2020
Briefings on HIPAA

Now that training gaps have been identified, training development can begin. Some topics to consider here are subject matter experts, training delivery method, and the use of outside vendors.

February 10, 2020
Briefings on HIPAA

Education and training are critical components of an effective compliance plan. Training and education serve to set the tone for the compliance program and the ethics of the organization.

February 3, 2020
Briefings on HIPAA

Click on the following links to see all the stories Briefings on HIPAA published in 2019.

January 27, 2020
Briefings on HIPAA

A large HIPAA breach settlement after a hospital system’s alleged failure to follow the feds’ suggested solution is a reminder that when it comes to enforcement, the government is holding all the cards.

January 20, 2020
Briefings on HIPAA

While the Privacy Rule applies to various types of health information, the Security Rule only applies to electronic protected health information (ePHI). The major goal of the Security Rule is to ensure proper safeguards are in place for the storing, maintaining, and transmission of ePHI.

January 1, 2020
Briefings on HIPAA

With 2020 underway, it’s a good time for facilities to review the standards set forth by the rules that define HIPAA regulations. Without a thorough understanding throughout an organization, it can be easy for violations to occur.

December 1, 2019
Briefings on HIPAA

In many companies, the compliance officer is the first to become aware of a potential compliance problem that could lead to civil or criminal liability. A best practice is to give the compliance officer the authority to conduct internal investigations.

December 1, 2019
Briefings on HIPAA

Behavioral health facilities and professionals experience some unique challenges when it comes to handling PHI and patient requests. The following article offers tips for handling those challenges and scenarios to consider.

December 1, 2019
Briefings on HIPAA

The application of attorney-client privilege is somewhat more complicated in situations where the client is a corporation. Although corporations are entitled to the same protection of confidentiality as noncorporate clients, the application of the privilege often turns on which corporate officials and employees sufficiently personify the corporation as a client.

December 1, 2019
Briefings on HIPAA

When voluntary disclosure for overpayments is an option rather than an obligation, the provider may encounter diverse opinions among its decision-makers. Some may express a desire to bring the potential problem to the attention of the government and attempt to resolve the matter quickly without incurring criminal penalties, civil fines, or exclusions.

November 1, 2019
Briefings on HIPAA

Our expert answers questions about patient diagnosis codes, same-sex partners, and privacy screens.

November 1, 2019
Briefings on HIPAA

Working remotely has many benefits for employers and employees. A Stanford study found that working from home boosts employee productivity, which was attributed to taking fewer breaks and sick days and working in quieter, more convenient work environments.

November 1, 2019
Briefings on HIPAA

OCR enforces the HIPAA Privacy, Security, and Breach Notification rules. Failing to properly manage and oversee remote access to and the protection of health information can be costly, as the following three cases demonstrate. 

November 1, 2019
Briefings on HIPAA

In addition to physical and technical safeguards, the HIPAA Security Rule requires covered entities and business associates to implement administrative protections, including workforce training and management.

October 28, 2019
Briefings on HIPAA

Our expert answers HIPAA questions about right to access, file transfer protocol (FTP) servers, and former employees.

October 21, 2019
Briefings on HIPAA

HIPAA-compliance experts discuss the most significant changes that have taken place since January 1, 2010.

October 14, 2019
Briefings on HIPAA

In an interview with Briefings on HIPAA, Tim Noonan, deputy director for the Division of Health Information Privacy at OCR, discussed cybersecurity and trends in reports of unsecured PHI to OCR. This article includes the highlights.

October 7, 2019
Briefings on HIPAA

OCR meant what it said in February of this year about patients’ right of access to their medical records. The HIPAA Privacy and Security Rule enforcer issued its first enforcement action under its “Right of Access Initiative” in September.

September 30, 2019
Briefings on HIPAA

Employees need to know what to do and what not to do when it comes to ensuring protected health information (PHI) remains secure. That’s where TeachPrivacy comes in as an excellent resource for quality staff training.

September 23, 2019
Briefings on HIPAA

Our expert answers HIPAA questions about nurse snooping, BA breach notifications, NPP placement.

September 16, 2019
Briefings on HIPAA

Many healthcare organizations aren’t doing a great job assessing the HIPAA risks associated with third parties. Some are having a hard time devoting resources. And many are worried that their current manual risk management processes cannot keep pace with cyberthreats.

September 9, 2019
Briefings on HIPAA

Patients are getting emboldened in the digital age and want quicker, more efficient—immediate, really—access to medical records. Further, the government is reinforcing existing regulations and creating new rules around data sharing that require entities to make healthcare records more accessible and deliver records to patients in their desired electronic format. Technology innovation has made this much easier for healthcare facilities to accomplish.

August 1, 2019
Briefings on HIPAA

OCR in 2013, through the Health Information Technology for Economic and Clinical Health (HITECH) Ac,t issued a final rule identifying provisions of the HIPAA rules that apply directly to business associates (BA) and those provisions for which BAs are directly liable.

August 1, 2019
Briefings on HIPAA

HIPAA training is required by the HIPAA rules, under § 164.530, Administrative requirements. But just because it’s required doesn’t mean it has to be repetitive, boring, or unappealing. There are ways to make your healthcare staff excited about HIPAA training. At the very least, you can do your part to make sure they’re engaged.

August 1, 2019
Briefings on HIPAA

HIPAA security officers arguably have more on their plates now than ever before as the cloud and mobile era are fully upon us and potential cybercriminal access to PHI increases,

August 1, 2019
Briefings on HIPAA

Our expert answers HIPAA questions about out-of-state patients, smartphones, and HIPAA training.

July 29, 2019
Briefings on HIPAA

Our expert answers HIPAA questions about disclosures of entire medical records, accidental records access, and more.

July 29, 2019
Briefings on HIPAA

Consider hiring a CPA firm to conduct Service and Organization Controls audits and penetration testing to assess your security.

July 22, 2019
Briefings on HIPAA

A recent HIPAA breach that involved transmission of PHI to only one party—a reporter—nonetheless cost a Connecticut practice $125,000, in part because the practice didn’t take simple precautions.

July 15, 2019
Briefings on HIPAA

Large-scale data breaches in the healthcare industry show no sign of decreasing. In this mid-year recap, we discuss the largest breach of 2019.

July 8, 2019
Briefings on HIPAA

Blockchain technology solutions have recently become a hot topic in the healthcare industry. Before considering blockchain as a future security solution, it is important to understand what it is, how it could work for medical facilities, and what the risks and benefits are.

June 24, 2019
Briefings on HIPAA

In this month's security Q&A, our expert answers questions on smart devices used in residential care, security incidents vs. security breaches, clinical staff using personal cell phones, and more.

June 17, 2019
Briefings on HIPAA

It can be impractical for medical researchers to seek authorization from all the patients whose medical records are sought for a study. That’s why HIPAA allows researchers to use de-identified PHI from records without individual authorization.

June 10, 2019
Briefings on HIPAA

In June 2018, the state of California passed the California Consumer Privacy Act of 2018 (CaCPA), which has implications for healthcare professionals doing business in California, but with other states proposing similar bills, it’s worth taking a look to see what these privacy laws mean for HIPAA compliance and privacy more broadly.

June 3, 2019
Briefings on HIPAA

HIPAA professionals all work to prevent their facilities from getting fined by OCR for violations of HIPAA’s Privacy, Security, and Breach Notification rules, but you need to stay up to date on what those penalties could be and where OCR stands on enforcement.

May 27, 2019
Briefings on HIPAA

In this month's issue, our expert answers questions on color-coded filing systems, sharing information with overseas providers, coordinating research with hospital employees, and more!  

May 27, 2019
Briefings on HIPAA

In this month's HIPAA Q&A, our expert answers questions on color-coded filing systems, overseas providers, coordinating with research hospitals, and more!

May 20, 2019
Briefings on HIPAA

Not all governance, risk management, and compliance (GRC) solutions are built the same. If you’re in the market for one and are working in the healthcare industry, check out ComplyAssistant.

May 13, 2019
Briefings on HIPAA

Care coordination has been at the heart of recent healthcare redesign efforts, which includes integrating primary care with behavioral and mental healthcare, but misunderstandings about how and when HIPAA applies can lead to unnecessary delays and leave organizations vulnerable to compliance risks.

May 6, 2019
Briefings on HIPAA

If a lawyer hits you with a subpoena for a patient’s protected health information, don’t panic—or you may not only violate the patient’s privacy rights under HIPAA, but also be subject to civil action under state law.

April 29, 2019
Briefings on HIPAA

In this month's security Q&A, our expert answers questions on the location of data backups, telehealth services using video conferencing, cloud service providers outside the U.S., and more!

April 22, 2019
Briefings on HIPAA

There are fewer hoops to jump through when another provider requests a practice’s patient records than when an attorney requests them, but the requesting providers don’t have an automatic right to those records, and you can’t just hand them over.

April 15, 2019
Briefings on HIPAA

Once you understand the basics of privacy and disclosure of PHI under HIPAA, strive to keep staff trained. According to Section 164.530 (b) of the Privacy Rule, a covered entity must train all members of their workforce on the policies and procedures with respect to PHI as necessary and appropriate.

April 8, 2019
Briefings on HIPAA

Hospital mergers and acquisitions remain the trend, and many hospital systems and other healthcare organizations cover multiple states, so understanding and keeping track of different state privacy laws can get complicated.

April 1, 2019
Briefings on HIPAA

Gaps in mobile security remain a threat to your protected health information and leave you vulnerable to HIPAA violations, so train and, if necessary, restrain employees to reduce the risk.

March 25, 2019
Briefings on HIPAA

In this month's HIPAA Q&A, our expert answers questions on shared insurance policies, posting thank-you notes in employee-only areas, referrals to Part 2 facilities, and more!

March 18, 2019
Briefings on HIPAA

In this month's Product Watch, we look at a managed service provider (MSP) that offers HIPAA-compliant MSP services, managed security services, disaster recovery sites, and the technical support to help covered entities and business associates breathe easier

March 11, 2019
Briefings on HIPAA

As telehealth expands and technology improves, there are an increasing number of options for communication between healthcare providers and patients as well as between providers, but such services raise concerns for HIPAA compliance due to the method of transmission and issues of security compliance.

March 4, 2019
Briefings on HIPAA

Patient matching is a concern at every level of patient care, and it can have ramifications for HIPAA compliance as well.

February 25, 2019
Briefings on HIPAA

In this month's HIPAA Q&A, our expert answers questions on medical record requests, health insurance exchanges, fines when there has been no breach of PHI, and mandatory encryption.  

February 18, 2019
Briefings on HIPAA

Not only does your organization need  appropriate policies and procedures in place to comply with HIPAA, you also need to make sure that staff members follow those policies and procedures. It’s not an easy task, and each organization has its own way of auditing compliance.

February 11, 2019
Briefings on HIPAA

Keeping your privacy, security, and breach notification policies and procedures up to date is part of HIPAA compliance, and this requires regular audits and monitoring.

February 4, 2019
Briefings on HIPAA

In recent months, OCR has expressed concern that providers and other covered entities may be reluctant to inform and involve the loved ones of individuals facing health crises like opioid use disorder for fear of violating HIPAA. Here, we look at some common misconceptions about privacy under HIPAA and point to the information that patients and families need to know.

January 28, 2019
Briefings on HIPAA

In this month's HIPAA Q&A, we answer your questions about making changes to patient records, the difference between consent and authorization, vaccination data, and more!

January 21, 2019
Briefings on HIPAA

In this month's Product Watch, we look at a phishing and social engineering threat simulator that includes security awareness training intended to mitigate the threat of phishing and the risk of a data breach.

January 14, 2019
Briefings on HIPAA

The healthcare sector is a frequent target of cyberattacks due to the value of PHI, which is the target of financial identity theft and medical identity theft. To safeguard PHI, you need to know the differences among phishing, ransomware, and DoS attacks.

January 7, 2019
Briefings on HIPAA

In December, HHS Office for Civil Rights (OCR) released a request for information seeking input from the public in order to identify provisions of HIPAA that may impede value-based care or limit care coordination among individuals and covered entities, and which do not meaningfully contribute to protecting the privacy and security of protected health information.

December 24, 2018
Briefings on HIPAA

In this month's HIPAA Q&A, we answer your questions about sending unencrypted emails to the right recipient, discussing patients with colleagues, scheduling appointments for spouses, and filing complaints against insurance companies.

December 17, 2018
Briefings on HIPAA

2018 was a year of large settlements and high-volume data breaches. According to OCR’s breach report portal, among the more than 250 reported data breaches under investigation, 14 incidents exposed the PHI of more than 100,000 individuals each.

December 10, 2018
Briefings on HIPAA

The opioid crisis in the U.S. continues to touch on issues of patient rights and privacy. In October, OCR launched an education campaign about civil rights protections that include specific guidelines for covered entities under HIPAA

December 3, 2018
Briefings on HIPAA

The HHS published its semiannual agenda in October, and some items on the list could mean changes for HIPAA.

November 26, 2018
Briefings on HIPAA

This month's HIPAA Q&A includes answers on destroying paper records, doctors communicating with patients from their phones, copies of subcontractor agreements, and more!

November 26, 2018
Briefings on HIPAA

In this month's Product Watch, we look at a training service that uses modules focused on specific HIPAA requirements such as business associate management, staff involvement in conducting a risk analysis, and mobile device security.

November 19, 2018
Briefings on HIPAA

There is a lot of pressure on hospitals and other healthcare providers to improve the patient experience by utilizing mobile health apps to make it easier to communicate with patients and their families. But with the pros of mobile apps come cons.

November 12, 2018
Briefings on HIPAA

As healthcare becomes more mobile, there are increasing concerns with device security, particularly when physicians and other healthcare professionals use their personal mobile devices to do their work and to communicate with patients.

November 5, 2018
Briefings on HIPAA

Third-party business associates and medical device vendors play a huge role in healthcare, and as healthcare becomes more network-reliant, security for medical devices and third-party vendors is critical.

October 29, 2018
Briefings on HIPAA

This month's Q&A answers to readers' questions on collecting payment, contacting physicians, overhearing medical examinations in the emergency department, and discussing the health of adult children.

October 22, 2018
Briefings on HIPAA

HIPAA allows patients to request amendments to their medical records. Facilities are not required to automatically make whatever change a patient requests, but they must allow patients to make the requests and follow a specific process for handling them.

October 15, 2018
Briefings on HIPAA

After two delays, the revisions to Federal Policy for the Protection for Human Subjects (45 CFR 46), also known as the “Common Rule,” will now go into effect January 21, 2019.

October 8, 2018
Briefings on HIPAA

 Millions of medical records are sent to insurance companies every year by hospital and health system business office personnel to expedite claims payment, respond to payer audits, or fulfill other payer denial requests for information. And any time medical records are handled, HIPAA concerns come into play.

October 1, 2018
Briefings on HIPAA

Most covered entities still use mailings to communicate with patients and members, so it is worth revisiting Aetna's 2017 mailing breach and the surrounding litigation to understand where negligence occurred and to take away some valuable lessons learned.

September 24, 2018
Briefings on HIPAA

This month's HIPAA Q&A includes answers on doctor's notes, scheduling appointments, hospital social media, alerting patients via text message, and more!

September 24, 2018
Briefings on HIPAA

In this month's Product Watch, we look at a game-changing texting app. With the available technology, covered entities and business associates would be hard-pressed to justify sending PHI using unsecure texts.

September 17, 2018
Briefings on HIPAA

Although HIPAA laws do not specify any time frame on updating policies and procedures, OCR has expectations. Here are three recent settlements where OCR has included mandates to update policies and procedures. You can apply some of these lessons in your organization.

September 10, 2018
Briefings on HIPAA

HIPAA covered entities that maintain poor policies and procedures related to HIPAA compliance—those that are unfinished in draft form, not updated in years, and basically not followed to the letter—have cost them dearly.

September 3, 2018
Briefings on HIPAA

Think software patching and vulnerability detection is just an IT thing? Certainly it starts there.

August 31, 2018
Briefings on HIPAA

This month's Q&A answers readers' questions about identification requirements, out-of-work information disclosure, and PHI and record retention

August 27, 2018
Briefings on HIPAA

In the digital age of healthcare delivery, the need for appropriate medical device cybersecurity is pervasive. Unenforced password protocols, outdated data storage, unencrypted data, unsecured access to networks—these are just a few examples of distinct vulnerabilities medical devices can have.

August 20, 2018
Briefings on HIPAA

In its May newsletter on workstation security and the HIPAA Security Rule, OCR cited a 2015 settlement with Lahey Hospital and Medical Center in Burlington, Massachusetts, over a breach of PHI involving a laptop used in connection with a CT scanner.

August 13, 2018
Briefings on HIPAA

Workstation and physical security should be a collaborative effort between the privacy officer and security officer in your organization, but someone, regardless of who, should take the lead on physical security issues.

August 6, 2018
Briefings on HIPAA

Most HIPAA covered entities have become steadfast in ensuring their digital environments that house ePHI are safe and secure, but this should not be your organization’s only concern. In its May OCR Cybersecurity Newsletter, OCR encouraged healthcare organizations to not forget about workstation security and physical security when it comes to protecting ePHI.

July 30, 2018
Briefings on HIPAA

Your organization does not have to look far to see how important it is for your business associates (BA) to comply with HIPAA. Take a glance at the OCR website for breaches involving 500 or more patients. BAs are regularly involved in these breaches along with covered entities (CE). However, the bad press almost always goes to the CEs.

July 23, 2018
Briefings on HIPAA

This month's HIPAA Q&A answers readers' questions about doctor's notes for employers, checking a neighbor's medical records, retaining records of out-of-state patients, and training temporary nursing staff.  

July 16, 2018
Briefings on HIPAA

The HIPAA Security Rule requires information systems activity review, but a number of covered entities and business associates have yet to implement a robust security program that includes monitoring audit logs. Per the preamble to the Omnibus Rule, if audit logs are generated and you’re not looking at them periodically, that could be considered willful neglect.

July 9, 2018
Briefings on HIPAA

Protecting your patients’ PHI does not mean just having a breach prevention plan in place and a strong risk analysis program. It’s also about preparing a breach contingency plan, because in today’s world it’s almost inevitable that you’ll experience a breach.

July 2, 2018
Briefings on HIPAA

A legislative effort is underway to align some of the provisions of 42 CFR Part 2—the privacy regulation that governs the use and disclosure of substance use disorder information maintained by programs known as “Part 2” programs—with HIPAA.

June 25, 2018
Briefings on HIPAA

Use these key takeaways from the recent Ponemon study on security risks to boost your organization's security.

June 18, 2018
Briefings on HIPAA

This month's Q&A answers readers' questions about using PHI for healthcare operations, text message encryption, and more.

June 11, 2018
Briefings on HIPAA

Semantics often gets in the way when it comes to HIPAA Security Rule requirements—and the results can be costly mistakes for your organization in terms of wasted resources, not to mention not satisfying OCR. It’s time for your organization to get a grip on what exact security measures it’s performing.

June 4, 2018
Briefings on HIPAA

If your healthcare organization thinks distributing a Notice of Privacy Practices (NPP) form, ensuring patients acknowledge receiving it, and maintaining those acknowledgments is a burden, the government may agree with you.

May 28, 2018
Briefings on HIPAA

If you’re generating audit logs, you must regularly review them. SPHER, a cost-effective software as a service tool that automates the review of the multitude of audit logs your EHR generates and can help you discover potential security incidents and avoid unpleasant surprises.

May 28, 2018
Briefings on HIPAA

This month's HIPAA Q&A answers readers' questions about sharing information, reporting errors in electronic systems, and minimum necessary.

May 21, 2018
Briefings on HIPAA

HIPAA says staff should only access the minimum necessary amount of information to do their jobs. But defining roles, access, and minimum necessary can quickly become a complicated exercise in frustration. Use this tool to help your organization form a practical minimum necessary policy.

May 14, 2018
Briefings on HIPAA

Employers take note: In-demand health IT professionals are more interested in job satisfaction and professional growth than in longevity with an organization. Although compensation and benefits packages are important, a positive work culture, the opportunity to do meaningful work, and the potential for career advancement make a big impact on current and prospective health IT staff.

May 7, 2018
Briefings on HIPAA

When it comes to security patch management, the more you plan, the less likely it is that something will go wrong and you'll be better prepared for anything unexepected that does happen. Take a look at some successful patch management strategies to learn how to keep your organization secured against hackers and software failure.

April 30, 2018
Briefings on HIPAA

This month's HIPAA privacy and security tips. 

April 23, 2018
Briefings on HIPAA

The 2009 HITECH Act created the breach reporting rule. The following will summarize the rule, paying specific attention to the modifications that were detailed in the Omnibus Rule of January 23, 2013.

April 16, 2018
Briefings on HIPAA

This month's HIPAA Q&A answers readers' questions about recycling electronic devices and scheduling appointments for family members. 

April 9, 2018
Briefings on HIPAA

When it comes to patients’ PHI, every little detail matters. Whether it’s the alignment of a preprinted mailer or installing antivirus software on your system, these details can make the difference in your health system’s security. Below are four recent security incidents that run the gamut in terms of technology involved, but all of which made the OCR breach report.

April 2, 2018
Briefings on HIPAA

There were two buzz phrases in the air at the 2018 Healthcare Information Management Systems Society Health IT Conference (HIMSS18): artificial intelligence and machine learning. While these initiatives have great potential in terms of analytics, the data can be difficult to interpret.