HIPAA

Everyone is familiar with the words “privacy” and “security,” but what do these terms mean to the experts, and what is the relationship between privacy and security?

With massive data breaches rocking industries and the public, and policymakers scrutinizing how organizations respond, it’s time to dust off policies and ensure organizations have meaningful, compliant reporting and response plans.

HIPAA compliance and enforcement saw its share of highs and lows in 2017. As the year comes to a close, it’s a good time to look back on what your organization has learned—in terms of personal growth and lessons gleaned from other organizations.

Q: We see many assertions that encryption at the right level meets the National Institute of Standards and Technology (NIST)/HIPAA safe harbor provision with no explanation of what is necessary to prove the breached electronic protected health information (PHI) was actually encrypted at the moment of breach. How can a covered entity prove the PHI was actually encrypted at the time of the breach?

Intentionally concealing a data breach could lead to jail time for C-suite executives under a bill introduced in the Senate November 30.

OCR’s 2016 guidance on patient access opened up a debate in the industry and brought questions about fulfilling patient access requests to the foreground.

This month's security Q&A answers readers' questions on incidental disclosures, sending protected health information in the mail, and addressing vulnerabilities identified in a risk analysis.

The general rules for security, risk analysis, and risk management implementation specifications, and evaluation standards are key directives for ongoing compliance assurance. Although risk analysis concepts guidance appears in the Security Rule, many organizations use it for auditing Privacy Rule processes as well.

Handling requests for information from law enforcement can throw staff for a loop. Most staff are aware of their organization’s policies and the basic HIPAA requirements for disclosing patient information to family members, friends, and other individuals such as legal guardians. But handling requests from law enforcement officials can be a different matter.

Changes to the Office for Civil Rights' HIPAA Audit Program and enforcement focus highlight compliance areas organizations should review.