There are many questions out there about what a managed service provider (MSP) should do for covered entities and business associates. There are different flavors of MSPs out there; therefore, it’s important to think about what your MSP will do for you and how to spot an MSP that may not be a good fit for your organization.
Compiling the statistics for insider threats to patient privacy is easy. It’s the mitigation of these risks that takes time, strategy, and commitment. According to the January 2017 Protenus Breach Barometer, internal health system employees were responsible for 58.4% of breached patient data during January 2017.
HIPAA isn’t the only privacy, security, and breach notification law in the country. In fact, HIPAA is designed to work with state laws, and in cases where state laws are stricter or prescribe a higher level of privacy or security, HIPAA explicitly directs covered entities and business associates to follow state law. A covered entity or business associate that isn’t in compliance with state privacy, security, and breach notification laws is not in compliance with HIPAA, and is at risk of both federal and state action.
The Substance Abuse and Mental Health Services Administration (SAMHSA) gave organizations and patients some relief from the stricter privacy rules protecting substance abuse and treatment information. But did SAMHSA really make the rule simpler, or will privacy and security officers find themselves grappling with a fresh set of complicated rules and exceptions?
The Center for Children’s Digestive Health (CCDH), an Illinois clinic group, dished out $31,000 in a HIPAA settlement with HHS due to a lack of a business associate agreement (BAA) with a vendor, the Office for Civil Rights (OCR) announced April 20.
Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) in Denver, agreed to a $400,000 HIPAA breach settlement and corrective action plan.
Q: A physician’s office called our office about a mutual patient to inquire the date the patient was last seen in our office for Medicare billing purposes. How are we supposed to know that they are in fact who they have identified themselves as? Are we allowed to provide this information without the patient adding this physician office to the disclosure form?
Q: The parents of a child at our pediatric clinic are divorced and the child is a beneficiary of one parent’s insurance. That parent wishes to restrict information the other has access to. However, because the parents have joint custody, the child may be brought in by either parent. Is there anything in HIPAA that could support denying the request or that would require us to comply?
