Q. We’re a small clinic and were just hit with ransomware. We do have a plan to recover and have clean backup data to restore from. Is there anything we’re missing?
The Substance Abuse and Mental Health Services Administration released a final rule updating privacy regulations for alcohol and substance abuse patient records. The changes are intended to reflect the way information is shared in new healthcare models while still protecting the privacy of individuals seeking treatment.
Q: We currently use an electronic system to make appointments for our spa clients that is not HIPAA compliant according to its maker. Can we use this system to track appointments for B-12 shots clients and those who are prescribed with appetite suppressants? We would have to enter patient medications and any allergies into this system. Since it is a cash-based business, what’s the HIPAA liability?
Covered entities (CE) and business associates (BA) should report any suspicious cyber activity, including malware, phishing, or other cybersecurity incidents, to the United States Computer Emergency Readiness Team (US-CERT), the Office for Civil Rights (OCR) said in guidance released February 23.
Q. If we discover that our business associate (BA) uses a cloud service vendor for certain services, do we need to see proof that the BA has executed a BA agreement (BAA) with the cloud service vendor?
This month's HIPAA Q&A answers our readers' questions about disclosures to family members, healthcare providers, and home health visits to gated communities.
Breaches are expensive and the price tag increases when preparation and formal documentation are lacking. One of the challenges of tracking security incidents and determining if a breach of PHI or PII is a reportable breach is developing a consistent assessment process and building a centralized breach tracking system.
