There's considerable confusion about what HIPAA means and what your obligations are under the regulations. I recently presented at a Midwest physician association conference. As is almost always the case, in the front row was an attendee just waiting for the Q&A session.
Release of information (ROI) is typically a function that is managed by the HIM department, but privacy and security officers often play a critical role in ensuring records remain secure during transmission.
Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?
Even organizations with sound policies, procedures, training, and safeguards can experience a breach. When?not if?a breach occurs, traditional insurance may not be enough to cover the damages. Ensuring that your organization has adopted the appropriate cyber insurance can be valuable in the event of a breach.
The Office for Civil Rights (OCR) announced December 8, 2014, that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations. OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service, per the announcement (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettle...).
