HIPAA

Most HIPAA covered entities have become steadfast in ensuring their digital environments that house ePHI are safe and secure, but this should not be your organization’s only concern. In its May OCR Cybersecurity Newsletter, OCR encouraged healthcare organizations to not forget about workstation security and physical security when it comes to protecting ePHI.

Q: Is texting an acceptable way to communicate with a patient? Do we need to ask the patient to sign a form with a statement to the effect that they prefer that we text information on test results, etc., rather than leave a voicemail asking them to call?

Your organization does not have to look far to see how important it is for your business associates (BA) to comply with HIPAA. Take a glance at the OCR website for breaches involving 500 or more patients. BAs are regularly involved in these breaches along with covered entities (CE). However, the bad press almost always goes to the CEs.

Boys Town National Research Hospital, in Omaha, Nebraska, announced July 20 that it had discovered a data security incident that may have affected the personal health information of 105,309 individuals.

Q: If an employee of our facility is seen for a routine vaccine, is it permissible for the nurse to review the patient history?

This month's HIPAA Q&A answers readers' questions about doctor's notes for employers, checking a neighbor's medical records, retaining records of out-of-state patients, and training temporary nursing staff.  

A former Arkansas Children’s Hospital employee is under investigation for misusing patients’ personal health information for personal gain, according to an announcement from the hospital.

Q: Is it a HIPAA violation to receive a postcard from a facility regarding your mammogram, date, time, and instructions?

The HIPAA Security Rule requires information systems activity review, but a number of covered entities and business associates have yet to implement a robust security program that includes monitoring audit logs. Per the preamble to the Omnibus Rule, if audit logs are generated and you’re not looking at them periodically, that could be considered willful neglect.

OCR’s June cybersecurity report focuses on software bugs and patches designed to fix them. Software bugs can make your computer systems vulnerable and put electronic personal health information (ePHI) at risk.