HIPAA

The Washington legislature unanimously passed a bill in April that will shorten the state’s data breach notification time to 30 days, which is half the time required by HIPAA.

Q: Does HIPAA require encryption when sharing data over the internet? Should data be encrypted when it is being emailed to someone at the same facility?

In this month's security Q&A, our expert answers questions on the location of data backups, telehealth services using video conferencing, cloud service providers outside the U.S., and more!

On April 18, the Office of Civil Rights (OCR) added five new answers to their FAQ section on the relationship between HIPAA and health apps that use patient information.

Q: Can a covered entity be fined for HIPAA violations even if there has not been a breach of PHI?

There are fewer hoops to jump through when another provider requests a practice’s patient records than when an attorney requests them, but the requesting providers don’t have an automatic right to those records, and you can’t just hand them over.

Q: If a patient requests copies of his or her medical record, which is allowed by the Privacy Rule, is the patient required to pay for the copies?

CMS released a bulletin April 10 on behalf of HHS seeking providers to participate in a volunteer Provider Pilot Program to test the process for reviewing compliance with its HIPAA Administrative Simplification rules.

Once you understand the basics of privacy and disclosure of PHI under HIPAA, strive to keep staff trained. According to Section 164.530 (b) of the Privacy Rule, a covered entity must train all members of their workforce on the policies and procedures with respect to PHI as necessary and appropriate.

Q: I’m a benefits administrator, and I got a call from human resources about an email she received from an employee about a procedure performed by her physician that was not covered by her insurance. Can I discuss the case with human resources? Or should I talk directly to the employee?