HIPAA

Q. Are we required to report cybersecurity incidents to federal agencies other than the Office for Civil Rights, such as the Department of Homeland Security?

The Office for Civil Rights (OCR) and the Office of the National Coordinator Health Information Technology released a fact sheet on disclosing protected health information (PHI) in support of public health activities conducted by state or federal public health agencies.

Q. Are we required to use encryption on all email, or only email that contains PHI?

This month's HIPAA Q&A answers our readers' questions about patient memorials, ROI requests from attorneys, state privacy laws, and more.

All of the policies and procedures in the world won’t ensure your staff are paying enough attention to privacy and security.

Check out these Briefings on HIPAA articles you may have missed last year.

Marketing is everywhere—even in healthcare. It’s an invaluable tool to attract and retain patients and a routine part of advertising new services and products but it’s also strictly regulated under HIPAA. Failure to properly train and educate staff can lead to HIPAA violations and the kind of bad press that’s difficult to put a positive spin on.

In today's world, passwords are no longer enough. Organizations should double up on security and implement two-factor authentication to stay ahead of the increasing volume and sophistication of cyberattacks. Although some may worry that two-factor authentication will be difficult to use, savvy organizations have found that it quickly becomes second nature.

Q: Our modem dialed the correct fax number but a switch in the phone company's system misdirected some pages of the fax to a wrong number. Are we in violation of HIPAA even though it is not our fault?

Q: Is an organization required to notify a patient of a single misdirected fax?