Financial organizations that are business associates can expect a wave of HIPAA desk audits to evaluate the HIPAA compliance efforts of business associates. These audits have a limited focus and are conducted by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). For business associates, desk audits will target breac… Continue Reading
September can bring about lots of changes, especially for college students. The National Alliance on Mental Illness (NAMI) released a guide for departing college students and their families on mental illness, including navigating certain privacy laws.
Health privacy and confidentiality laws protect your health records, including mental health rec… Continue Reading
Covered entities and business associates can expect increased scrutiny for breaches of unsecured protected health information affecting fewer than 500 individuals. Starting August 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) began more widely investigating these small breaches under the Health Insurance … Continue Reading
Phase 2 of the HIPAA audits is fully underway, and covered entities now can take a breath if they have not received a desk audit request. But we still are at the beginning of Phase 2, with more to come.
Preparing for Audits. Some steps that covered entities and business associates can take to further prepare:
- Business associates should verify that risk analysi
Athletes at the Rio Olympics aren’t the only ones setting records this year. Hoping to send a “strong message” about the importance of safeguarding electronic protected health information (PHI) and conducting mandated risk analyses, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently reached the larges… Continue Reading
Pikachu, Alakazam, Bulbasaur, Charmander, and Squirtle can teach us a few things about HIPAA privacy. Pokémon GO is a recent craze encouraging people to try to catch’em all. As a result, employees, clients, and patients are scrambling around the halls of covered entities and business associates in search of elusive Pokémon, hoping to take a capt… Continue Reading
The U.S. Department of Health & Human Services Office for Civil Rights (OCR) has entered into a Resolution Agreement with a business associate over allegations that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by failing to protect electronic protected health information (ePHI).
On June 2… Continue Reading
Protecting patient information is a central duty for both covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA). Should a HIPAA-subject entity ever fail to protect patient information, it may face possible enforcement action from the U.S. Department of Health and Human Services’ Office f… Continue Reading
The world of privacy grows every day as more data goes through the cloud. The new trends and weekly data breaches make conferences like the Global Privacy Summit all the more relevant.
Earlier this month we went to IAPP’s annual event and networked with many professionals in the privacy sphere. Here were some of our key takeaways:
1. Connect with your FBI … Continue Reading
The Phase 2 audit program for HIPAA compliance is under way. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it had launched the Phase 2 audits to examine and assess how covered entities and their business associates are adhering to the HIPAA Privacy, Security, and Breach Notification Rules. OCR will survey … Continue Reading
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has been highlighting the threat posed by “ransomware”—when an organization is locked out of its own systems and files by cyber criminals who then demand the organization pay a ransom to regain access. OCR launched its Cyber-Awareness initiative on Feb. 2 by emaili… Continue Reading
Feb. 29, 2016, a/k/a Leap Day, is the date by which HIPAA covered entities must notify the U.S. Department of Health and Human Services Office for Civil Rights (OCR) of “small” breaches of unsecured protected health information that were discovered in calendar-year 2015.
A small breach involves fewer than 500 individuals. While HIPAA requires cover… Continue Reading
On Feb. 9, 2016, the U.S. Department of Health and Human Services Substance Abuse and Mental Health Services Administration (SAMHSA) published in the Federal Register a proposed rule putting forth amendments to the Alcohol and Drug Abuse Treatment Confidentiality Rule at 42 C.F.R. Part 2 (the “Part 2 Rule”). A redline of the proposed changes to the … Continue Reading
Do You Know Where Your Data Is?
For only the second time in its history, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a civil money penalty (CMP) on a covered entity for allegedly violating the HIPAA Privacy Rule. The Administrative Law Judge’s (ALJ’s) decision upholding the $239,800 CMP against Lincare… Continue Reading
The FTC reached a $250,000 settlement with a 20-year consent order with Henry Schein Practice Solutions, Inc. over its use of allegedly subpar encryption technology in its offering to dental practices. This settlement is particularly noteworthy for a number of reasons:
- In addition to the typical 20-year consent order (in this case requiring Schein to ma
It may not be a big dollar amount ($15,000), but a recent New York Attorney General settlement represents a big issue—interpreting that HIPAA prohibits a health care professional who is changing practices from taking a patient list without the patients’ authorizations. Health care providers should review their procedures surrounding departing p… Continue Reading
In a Nov. 10, 2015 letter, the Chairs and Ranking Members of the Senate Committee on Health, Education, Labor, and Pensions and the Committee on Finance raised concerns with the U.S. Department of Health and Human Services (“HHS”) regarding what HHS is doing to support and protect victims of medical identity theft in the wake of large health informatio… Continue Reading
Safeguarding patient information is at the core of responsibilities for health care entities under the Health Insurance Portability and Accountability Act (HIPAA). But safeguarding patient information isn’t just a regulatory requirement; every medical professional who takes the Hippocratic Oath (Modern Version) swears to respect patient priv… Continue Reading
Over the past year, numerous lawsuits and complaints to the HHS Office for Civil Rights (“OCR”) have been filed by plaintiffs’ attorneys over a seemingly obscure HIPAA issue – the rate that health care providers and their release-of-information contractors may charge attorneys for copies of their clients’ medical records. In response to a Fr… Continue Reading
The 2015 HIPAA Security conference held by the National Institute of Standards and Technology (“NIST”) and the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) kicked off last week with OCR’s announcement of a new settlement. In its latest settlement with a small health care provider, OCR emphasized comprehensiv… Continue Reading
With health care breaches constantly on the rise, increasing access to electronic health records (EHRs) from mobile devices, and more prevalent “shadow” cloud use, health care organizations are getting a bit of help from the National Institute of Standards and Technology (NIST) with a draft cybersecurity guide: “NIST is soliciting stakeholder … Continue Reading
Security Risk Analysis and Patient Access
The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) recently announced a new settlement with a small pharmacy, Cornell Prescription Pharmacy (“Cornell”). OCR alleged that Cornell was disposing of documents containing protected health information in unlocked, open dumpsters. This incide… Continue Reading
On March 30, the Department of Health and Human Services’ (HHS) Centers for Medicare & Medicaid Services (CMS) published its proposed rulemaking for Stage 3 of the Medicare and Medicaid Electronic Health Records (EHR) Incentive Program in the Federal Register. According to HHS, the proposed Stage 3 rule, if adopted, would simplify the EHR Incenti… Continue Reading