The Office for Civil Rights (OCR) announced December 8, 2014, that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations. OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service, per the announcement (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettle...).
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is an editorial advisory board member for SHCC's sister publication Briefings on HIPAA.
In the wake of several large breaches, OCR is ready to ramp up its oversight of HIPAA compliance as it embarks upon Phase 2 of its HIPAA privacy, security, and breach notification audits. OCR began preparing for this round of audits around the same time that news broke of the second-largest HIPAA breach in the U.S., a hacking incident that affected 4.5 million patients treated at or referred to Tennessee-based Community Health Systems, Inc.
As the use of electronic health records (EHR) surges and organizations work toward meaningful use attestation, more in-depth monitoring of electronic patient records is becoming increasingly necessary.
If the 2-midnight rule keeps you up at night, it might help to add some PEPPER to your processes. CMS recently updated PEPPER, otherwise known as the Program for Evaluating Payment Patterns Electronic Report, to provide hospitals with insight into how well they're doing with 2-midnight rule compliance.
You hear it over and over again. Covered Entity (CE) A failed to produce an ongoing risk assessment for HIPAA security compliance. CE B had an incomplete risk analysis, leading to a failure to recognize security weaknesses and vulnerabilities. And in come the fines.
Hospitals can make better use of their electronic health record (EHR) system’s audit functions not only to guard patient privacy but also to help prevent healthcare fraud, according to a new HHS Office of Inspector General (OIG) report.
UK HealthCare's Chief Compliance Officer R. Brett Short knew he was in for a rough day as soon as he saw the email from his organization's privacy officer.
