Q: If someone calls a facility to schedule an appointment for a patient, is it a violation of HIPAA to admit the patient receives care at the practice? For example, the practice where I work often helps victims of domestic abuse.
Q: I work at a pediatric practice, and we receive a lot of holiday cards from our patients, many of which feature family photos. We hang them up because the patients love to see themselves displayed in our lobby. We have reached out to a HIPAA security officer at a nearby hospital who told us it is not a HIPAA violation to display holiday cards received from patients. Is this accurate?
Small- to medium-size clinics often operate under the assumption that their outsourced IT shop or managed services provider (MSP) is providing a robust security solution, but this is not always the case. MSPs aren't necessarily falling down on the job, though; remember that just because something is outsourced doesn't mean the vendor will manage all of the risk. In the end, if you want additional services from your MSP, it costs money. RapidFire Tools® offers a solution MSPs can use to address risks that many small- to medium-size clinics may falsely assume are already managed.
Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws. In some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.
A mobile workforce in the healthcare industry presents a unique set of HIPAA privacy and security challenges. As the number of large HIPAA breaches increases and OCR ramps up audits, organizations cannot afford to risk their bottom line and reputation by failing to protect patient privacy and security.
Q: I am currently working on a social media usage policy for the organization where I work. I often notisce that some of my friends in the healthcare industry will post about patients on social media website.
1. Phase 2 of OCR's HIPAA audits will be desk audits, which means OCR will not conduct on-site audits of covered entities (CE) and business associates (BA) unless resources are available.
The September 22, 2014, deadline to revise business associate agreements (BAA) may have seemed like a date far in the future when the HIPAA omnibus final rule was released January 25, 2013. However, this compliance date is now in our rearview mirror as we continue to move along the road toward establishing and maintaining compliance with the HIPAA Privacy Rule and Security Rule.
In the wake of several large breaches, OCR is ready to ramp up its oversight of HIPAA compliance as it embarks upon Phase 2 of its HIPAA privacy, security, and breach notification audits. OCR began preparing for this round of audits around the same time that news broke of the second-largest HIPAA breach in the U.S., a hacking incident that affected 4.5 million patients treated at or referred to Tennessee-based Community Health Systems, Inc.
