Articles Discussing HIPAA.

In the final days of 2020, the Office for Civil Rights (OCR) at the U.S. Health and Human Service (HHS) released a HIPAA Audits Industry Report (“the Report”), that could be quite helpful to covered entities and business associates for tackling HIPAA compliance as we enter the new year.  The

It seems like every aspect of healthcare is changing during these uncertain times, but one thing remains the same – HIPAA enforcement is going strong. The Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS), responsible for enforcing HIPAA regulations, has been active this year in terms of settlements of potential HIPAA privacy and security violations.  More than $12.2 million has been recorded this year in resolution agreements, despite the Notification of Enforcement Discretion related to COVID-19 issued by HHS.

Over the past few years, and particularly during the COVID-19 pandemic, the Department of Health and Human Services Office for Civil Rights in Action (OCR) has made countless efforts to enhance its Health Insurance Portability and Accountability Act (HIPAA) guidance and other related resources on its website. Last week, the

When providers, health plans, business associates, and even patients and plan participants think of the HIPAA privacy and security rules (‘HIPAA Rules”), they seem to be more focused on the privacy and security aspects of the HIPAA Rules. That is, for example, safeguarding an individual’s protected health information (PHI) to

Last week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR

Roger Severino, Director of the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), provides advice for HIPAA covered health care providers:

When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information

With the recent spread of coronavirus (2019-nCoV), it is an important time to examine what information employers may share under HIPAA’s Privacy Rule during an outbreak of infectious disease or other emergency situation.

School leaders are often understandably confused as to which law applies to health- or medical-related records in schools: The Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) “Privacy Rule.”

No business likes to receive bad reviews on Yelp® or anywhere else in social media. When they do, some feel the need to respond to clarify or rebut the reviews, but they must do so carefully. This is particularly true for HIPAA covered entities, as their responses could include protected health information (PHI). A recent Office for Civil Rights (OCR) settlement with a small dental practice highlights this point.

As we have observed here, news reports of security risks, hackings and breaches caused by individuals, terror groups or even countries around the world certainly are important and can be unsettling. But, for many organizations, including healthcare providers and business associates, a significant and perhaps more immediate area of data risk is malicious insiders. On August 29, the Office for Civil Right (OCR) published its 2019 summer cybersecurity newsletter entitled, “Managing Malicious Insider Threats,” acknowledging this threat and providing some best practices to neutralize it.

While healthcare organizations are embracing new technologies such as patient portals, a recent report shows that organizations’ cybersecurity measures for these technologies are behind the times. A patient portal is a secure online website that allows patients to access their Electronic Health Record from any device with an Internet connection. Many patient portals also allow patients to request prescription refills, schedule appointments, and securely message providers. With this increased access for patients comes the risk that someone other than the patient will gain unauthorized access to the portal, and to the patient’s electronic protected health information (ePHI).

Many health care providers, including small and medium-sized physician practices, rely on a number of third party service providers to serve their patients and run their businesses. Perhaps the most important of these is a practice’s electronic medical record (EMR) provider, which manages and stores patient protected health information. EMR providers generally are business associates under HIPAA, subjecting them to many of the same requirements under the HIPAA privacy and security rules applicable to covered healthcare providers. HIPAA-covered healthcare providers should not assume their EMR providers comply with HIPAA and HITECH.

When the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 became law, it made significant changes to the civil monetary penalties for violations of HIPAA. In addition to increasing the amounts of the penalties, HITECH created a tiered approach to penalties, establishing four categories based on levels of culpability. In addition, current HHS regulations apply the same cumulative annual penalty limit across these four categories. Today, the Department of Health and Human Services (HHS) issued a notification of enforcement discretion changing its interpretation of HITECH resulting in a reduction in the amount of the cumulative annual penalty limit for three of the four categories.

Over the past thirty days, the Office for Civil Rights (“OCR”) has reached three HIPAA breach resolutions, signaling to organizations that are covered entities and business associates under HIPAA, the importance of instituting basic best practices for data breach prevention and response.