A large HIPAA breach settlement after a hospital system’s alleged failure to follow the feds’ suggested solution is a reminder that when it comes to enforcement, the government is holding all the cards.
While the Privacy Rule applies to various types of health information, the Security Rule only applies to electronic protected health information (ePHI). The major goal of the Security Rule is to ensure proper safeguards are in place for the storing, maintaining, and transmission of ePHI.
With 2020 underway, it’s a good time for facilities to review the standards set forth by the rules that define HIPAA regulations. Without a thorough understanding throughout an organization, it can be easy for violations to occur.
In many companies, the compliance officer is the first to become aware of a potential compliance problem that could lead to civil or criminal liability. A best practice is to give the compliance officer the authority to conduct internal investigations.
Behavioral health facilities and professionals experience some unique challenges when it comes to handling PHI and patient requests. The following article offers tips for handling those challenges and scenarios to consider.
The application of attorney-client privilege is somewhat more complicated in situations where the client is a corporation. Although corporations are entitled to the same protection of confidentiality as noncorporate clients, the application of the privilege often turns on which corporate officials and employees sufficiently personify the corporation as a client.
When voluntary disclosure for overpayments is an option rather than an obligation, the provider may encounter diverse opinions among its decision-makers. Some may express a desire to bring the potential problem to the attention of the government and attempt to resolve the matter quickly without incurring criminal penalties, civil fines, or exclusions.
Working remotely has many benefits for employers and employees. A Stanford study found that working from home boosts employee productivity, which was attributed to taking fewer breaks and sick days and working in quieter, more convenient work environments.
OCR enforces the HIPAA Privacy, Security, and Breach Notification rules. Failing to properly manage and oversee remote access to and the protection of health information can be costly, as the following three cases demonstrate.
In addition to physical and technical safeguards, the HIPAA Security Rule requires covered entities and business associates to implement administrative protections, including workforce training and management.
In an interview with Briefings on HIPAA, Tim Noonan, deputy director for the Division of Health Information Privacy at OCR, discussed cybersecurity and trends in reports of unsecured PHI to OCR. This article includes the highlights.
OCR meant what it said in February of this year about patients’ right of access to their medical records. The HIPAA Privacy and Security Rule enforcer issued its first enforcement action under its “Right of Access Initiative” in September.
Employees need to know what to do and what not to do when it comes to ensuring protected health information (PHI) remains secure. That’s where TeachPrivacy comes in as an excellent resource for quality staff training.
Many healthcare organizations aren’t doing a great job assessing the HIPAA risks associated with third parties. Some are having a hard time devoting resources. And many are worried that their current manual risk management processes cannot keep pace with cyberthreats.
Patients are getting emboldened in the digital age and want quicker, more efficient—immediate, really—access to medical records. Further, the government is reinforcing existing regulations and creating new rules around data sharing that require entities to make healthcare records more accessible and deliver records to patients in their desired electronic format. Technology innovation has made this much easier for healthcare facilities to accomplish.
OCR in 2013, through the Health Information Technology for Economic and Clinical Health (HITECH) Ac,t issued a final rule identifying provisions of the HIPAA rules that apply directly to business associates (BA) and those provisions for which BAs are directly liable.
HIPAA training is required by the HIPAA rules, under § 164.530, Administrative requirements. But just because it’s required doesn’t mean it has to be repetitive, boring, or unappealing. There are ways to make your healthcare staff excited about HIPAA training. At the very least, you can do your part to make sure they’re engaged.
Blockchain technology solutions have recently become a hot topic in the healthcare industry. Before considering blockchain as a future security solution, it is important to understand what it is, how it could work for medical facilities, and what the risks and benefits are.
It can be impractical for medical researchers to seek authorization from all the patients whose medical records are sought for a study. That’s why HIPAA allows researchers to use de-identified PHI from records without individual authorization.
In June 2018, the state of California passed the California Consumer Privacy Act of 2018 (CaCPA), which has implications for healthcare professionals doing business in California, but with other states proposing similar bills, it’s worth taking a look to see what these privacy laws mean for HIPAA compliance and privacy more broadly.
HIPAA professionals all work to prevent their facilities from getting fined by OCR for violations of HIPAA’s Privacy, Security, and Breach Notification rules, but you need to stay up to date on what those penalties could be and where OCR stands on enforcement.
Care coordination has been at the heart of recent healthcare redesign efforts, which includes integrating primary care with behavioral and mental healthcare, but misunderstandings about how and when HIPAA applies can lead to unnecessary delays and leave organizations vulnerable to compliance risks.
If a lawyer hits you with a subpoena for a patient’s protected health information, don’t panic—or you may not only violate the patient’s privacy rights under HIPAA, but also be subject to civil action under state law.
There are fewer hoops to jump through when another provider requests a practice’s patient records than when an attorney requests them, but the requesting providers don’t have an automatic right to those records, and you can’t just hand them over.
Once you understand the basics of privacy and disclosure of PHI under HIPAA, strive to keep staff trained. According to Section 164.530 (b) of the Privacy Rule, a covered entity must train all members of their workforce on the policies and procedures with respect to PHI as necessary and appropriate.
Hospital mergers and acquisitions remain the trend, and many hospital systems and other healthcare organizations cover multiple states, so understanding and keeping track of different state privacy laws can get complicated.
In this month's Product Watch, we look at a managed service provider (MSP) that offers HIPAA-compliant MSP services, managed security services, disaster recovery sites, and the technical support to help covered entities and business associates breathe easier
As telehealth expands and technology improves, there are an increasing number of options for communication between healthcare providers and patients as well as between providers, but such services raise concerns for HIPAA compliance due to the method of transmission and issues of security compliance.
Not only does your organization need appropriate policies and procedures in place to comply with HIPAA, you also need to make sure that staff members follow those policies and procedures. It’s not an easy task, and each organization has its own way of auditing compliance.
In recent months, OCR has expressed concern that providers and other covered entities may be reluctant to inform and involve the loved ones of individuals facing health crises like opioid use disorder for fear of violating HIPAA. Here, we look at some common misconceptions about privacy under HIPAA and point to the information that patients and families need to know.
In this month's Product Watch, we look at a phishing and social engineering threat simulator that includes security awareness training intended to mitigate the threat of phishing and the risk of a data breach.
The healthcare sector is a frequent target of cyberattacks due to the value of PHI, which is the target of financial identity theft and medical identity theft. To safeguard PHI, you need to know the differences among phishing, ransomware, and DoS attacks.
In December, HHS Office for Civil Rights (OCR) released a request for information seeking input from the public in order to identify provisions of HIPAA that may impede value-based care or limit care coordination among individuals and covered entities, and which do not meaningfully contribute to protecting the privacy and security of protected health information.
In this month's HIPAA Q&A, we answer your questions about sending unencrypted emails to the right recipient, discussing patients with colleagues, scheduling appointments for spouses, and filing complaints against insurance companies.
2018 was a year of large settlements and high-volume data breaches. According to OCR’s breach report portal, among the more than 250 reported data breaches under investigation, 14 incidents exposed the PHI of more than 100,000 individuals each.
The opioid crisis in the U.S. continues to touch on issues of patient rights and privacy. In October, OCR launched an education campaign about civil rights protections that include specific guidelines for covered entities under HIPAA
In this month's Product Watch, we look at a training service that uses modules focused on specific HIPAA requirements such as business associate management, staff involvement in conducting a risk analysis, and mobile device security.
There is a lot of pressure on hospitals and other healthcare providers to improve the patient experience by utilizing mobile health apps to make it easier to communicate with patients and their families. But with the pros of mobile apps come cons.
As healthcare becomes more mobile, there are increasing concerns with device security, particularly when physicians and other healthcare professionals use their personal mobile devices to do their work and to communicate with patients.
Third-party business associates and medical device vendors play a huge role in healthcare, and as healthcare becomes more network-reliant, security for medical devices and third-party vendors is critical.
HIPAA allows patients to request amendments to their medical records. Facilities are not required to automatically make whatever change a patient requests, but they must allow patients to make the requests and follow a specific process for handling them.
Millions of medical records are sent to insurance companies every year by hospital and health system business office personnel to expedite claims payment, respond to payer audits, or fulfill other payer denial requests for information. And any time medical records are handled, HIPAA concerns come into play.
Most covered entities still use mailings to communicate with patients and members, so it is worth revisiting Aetna's 2017 mailing breach and the surrounding litigation to understand where negligence occurred and to take away some valuable lessons learned.
In this month's Product Watch, we look at a game-changing texting app. With the available technology, covered entities and business associates would be hard-pressed to justify sending PHI using unsecure texts.
Although HIPAA laws do not specify any time frame on updating policies and procedures, OCR has expectations. Here are three recent settlements where OCR has included mandates to update policies and procedures. You can apply some of these lessons in your organization.
HIPAA covered entities that maintain poor policies and procedures related to HIPAA compliance—those that are unfinished in draft form, not updated in years, and basically not followed to the letter—have cost them dearly.
In the digital age of healthcare delivery, the need for appropriate medical device cybersecurity is pervasive. Unenforced password protocols, outdated data storage, unencrypted data, unsecured access to networks—these are just a few examples of distinct vulnerabilities medical devices can have.
In its May newsletter on workstation security and the HIPAA Security Rule, OCR cited a 2015 settlement with Lahey Hospital and Medical Center in Burlington, Massachusetts, over a breach of PHI involving a laptop used in connection with a CT scanner.
Workstation and physical security should be a collaborative effort between the privacy officer and security officer in your organization, but someone, regardless of who, should take the lead on physical security issues.
Most HIPAA covered entities have become steadfast in ensuring their digital environments that house ePHI are safe and secure, but this should not be your organization’s only concern. In its May OCR Cybersecurity Newsletter, OCR encouraged healthcare organizations to not forget about workstation security and physical security when it comes to protecting ePHI.
Your organization does not have to look far to see how important it is for your business associates (BA) to comply with HIPAA. Take a glance at the OCR website for breaches involving 500 or more patients. BAs are regularly involved in these breaches along with covered entities (CE). However, the bad press almost always goes to the CEs.
This month's HIPAA Q&A answers readers' questions about doctor's notes for employers, checking a neighbor's medical records, retaining records of out-of-state patients, and training temporary nursing staff.
The HIPAA Security Rule requires information systems activity review, but a number of covered entities and business associates have yet to implement a robust security program that includes monitoring audit logs. Per the preamble to the Omnibus Rule, if audit logs are generated and you’re not looking at them periodically, that could be considered willful neglect.
Protecting your patients’ PHI does not mean just having a breach prevention plan in place and a strong risk analysis program. It’s also about preparing a breach contingency plan, because in today’s world it’s almost inevitable that you’ll experience a breach.
A legislative effort is underway to align some of the provisions of 42 CFR Part 2—the privacy regulation that governs the use and disclosure of substance use disorder information maintained by programs known as “Part 2” programs—with HIPAA.
Semantics often gets in the way when it comes to HIPAA Security Rule requirements—and the results can be costly mistakes for your organization in terms of wasted resources, not to mention not satisfying OCR. It’s time for your organization to get a grip on what exact security measures it’s performing.
If your healthcare organization thinks distributing a Notice of Privacy Practices (NPP) form, ensuring patients acknowledge receiving it, and maintaining those acknowledgments is a burden, the government may agree with you.
If you’re generating audit logs, you must regularly review them. SPHER, a cost-effective software as a service tool that automates the review of the multitude of audit logs your EHR generates and can help you discover potential security incidents and avoid unpleasant surprises.
HIPAA says staff should only access the minimum necessary amount of information to do their jobs. But defining roles, access, and minimum necessary can quickly become a complicated exercise in frustration. Use this tool to help your organization form a practical minimum necessary policy.
Employers take note: In-demand health IT professionals are more interested in job satisfaction and professional growth than in longevity with an organization. Although compensation and benefits packages are important, a positive work culture, the opportunity to do meaningful work, and the potential for career advancement make a big impact on current and prospective health IT staff.
When it comes to security patch management, the more you plan, the less likely it is that something will go wrong and you'll be better prepared for anything unexepected that does happen. Take a look at some successful patch management strategies to learn how to keep your organization secured against hackers and software failure.
When it comes to patients’ PHI, every little detail matters. Whether it’s the alignment of a preprinted mailer or installing antivirus software on your system, these details can make the difference in your health system’s security. Below are four recent security incidents that run the gamut in terms of technology involved, but all of which made the OCR breach report.
There were two buzz phrases in the air at the 2018 Healthcare Information Management Systems Society Health IT Conference (HIMSS18): artificial intelligence and machine learning. While these initiatives have great potential in terms of analytics, the data can be difficult to interpret.