Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search
Log in
Forgot password

HIPAA Blog and Updates

Welcome to out HIPAA blog.  Here we post news, articles, and site updates on HIPAA.  

<< First  < Prev   1   2   3   4   5   Next >  Last >> 

  • OCR Updates Change Healthcare Cybersecurity Incident FAQs

    31 May 2024 9:17 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) published an update to the frequently asked questions (FAQs) webpage concerning the Change Healthcare cybersecurity incident. The webpage, first published on April 19, 2024, provides answers to FAQs concerning the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and many other health care entities.

    OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

    “Ensuring patient privacy is one of the pillars of HIPAA. Our updated FAQs webpage on the Change Healthcare breach reiterates that importance by making clear that individuals affected by this breach must be notified that their protected health information was breached. This ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their health care,” said OCR Director Melanie Fontes Rainer. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

    The webpage updates address questions OCR has received concerning who is responsible for performing breach notification to HHS, affected individuals, and where applicable the media. Specifically, the FAQs make clear that:

    • Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
    • Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
    • If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.

    The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • The Biden-Harris Administration Issues New Rule to Support Reproductive Health Care Privacy Under HIPAA

    22 Apr 2024 9:30 AM | Zachary Edgar (Administrator)

    The Final Rule strengthens privacy protections for medical records and health information for women, their family members, and doctors who are seeking, obtaining, providing, or facilitating lawful reproductive health care.

    Today, the Biden-Harris Administration, through the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a Final Rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The Final Rule strengthens the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. HHS is issuing this Final Rule after hearing from communities that changes were needed to better protect patient confidentiality and prevent medical records from being used against people for providing or obtaining lawful reproductive health care. This Final Rule will bolster patient-provider confidentiality and help promote trust and open communication between individuals and their health care providers or health plans, which is essential for high-quality health care.

    “Many Americans are scared their private medical information will be being shared, misused, and disclosed without permission. This has a chilling effect on women visiting a doctor, picking up a prescription from a pharmacy, or taking other necessary actions to support their health,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration is providing stronger protections to people seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it. With reproductive health under attack by some lawmakers, these protections are more important than ever.”

    “Since the fall of Roe v. Wade, providers have shared concerns that when patients travel to their clinics for lawful care, their patients’ records will be sought, including when the patient goes home. Patients and providers are scared, and it impedes their ability to get and to provide accurate information and access safe and legal health care,” said OCR Director Melanie Fontes Rainer. “Today’s rule prohibits the use of protected health information for seeking or providing lawful reproductive health care and helps maintain and improve patient-provider trust that will lead to improved health outcomes and protect patient privacy.”

    OCR administers and enforces the Privacy Rule, which requires most health care providers, health plans, health care clearinghouses, and business associates (collectively, “regulated entities”) to safeguard the privacy of PHI and sets limits and conditions on the uses and disclosures of such information. The HIPAA Privacy Rule also gives individuals certain rights over their PHI. In April 2023, OCR published proposed modifications to the HIPAA Privacy Rule to address changes in the legal landscape affecting reproductive health care privacy that make it more likely than before that PHI may be used and disclosed in ways that HIPAA intended to protect. OCR received almost 30,000 comments on the proposed rule from the public. After carefully considering these comments, the Department is issuing a Final Rule that:

    • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
    • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
    • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

    View the Final Rule on the  Federal Register

    View The Final Rule Fact Sheet here.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Office for Civil Rights Imposes a Civil Monetary Penalty on New Jersey Nursing Facility for Failing to Provide Timely Access to Patient Records

    1 Apr 2024 9:30 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a $100,000 civil monetary penalty against Essex Residential Care, LLC, doing business as Hackensack Meridian Health, West Caldwell Care Center (“Hackensack Meridian Health”), a skilled nursing facility that provides long-term care and rehabilitation services. OCR investigated Hackensack Meridian Health under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule for failing to provide a patient’s personal representative with timely access to the patient’s medical records.

    The HIPAA Privacy Rule is the federal law that establishes national standards to protect individuals’ medical records, sets limits and conditions on the uses and disclosures of protected health information, and gives individuals certain rights, including the right to timely access and obtain a copy of their health records. Today’s action resolves a matter where patient records were not provided in a timely manner.

    “A patient’s timely access to health records is paramount for medical care. The Office for Civil Rights continues to receive complaints from individuals and personal representatives on behalf of individuals who do not receive timely access to their health records,” said OCR Director Melanie Fontes Rainer. “OCR will continue to vigorously enforce this essential right to ensure compliance by health care facilities across the country.”

    In May 2020, OCR received a complaint alleging that Hackensack Meridian Health failed to provide a personal representative with access to his mother’s medical records. The records were allegedly withheld even after Hackensack Meridian Health received sufficient documentation demonstrating that the son was serving as his mother’s personal representative. The requested records were sent to the personal representative in November 2020, as a result of OCR’s investigation.

    OCR found that Hackensack Meridian Health failed to respond timely to a HIPAA right of access request. In September 2023, OCR issued a Notice of Proposed Determination seeking to impose a civil money penalty. Hackensack Meridian Health waived its right to a hearing and did not contest OCR’s findings. Accordingly, OCR imposed a civil money penalty of $100,000.

    The Notice of Proposed Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#npd

    The Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/hackensack-meridian-health-west-caldwell-care-center/index.html#nfd

    Reference

    HIPAA News Releases & Bulletins


  • HHS’ Office for Civil Rights Settles HIPAA Investigation with Phoenix Healthcare

    29 Mar 2024 9:32 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care. The settlement resolves a potential violation under the Health Insurance Portability and Accountability Act (HIPAA) Right of Access provision, requires that individuals or their personal representatives have timely access to their health information.

    Under HIPAA, it is required that a covered entity must provide access to the protected health information within 30 days of receiving an individual’s request. OCR’s investigation involved a daughter, serving as a personal representative for her mother, who was not able to obtain access to her mother’s protected health information for nearly one year, despite multiple requests. The agreement marks OCR’s 47th Right of Access enforcement action.

    “Patients need to make the best decisions possible for their health and well-being, so timely access to their medical records is imperative,” said OCR Director Melanie Fontes Rainer. “Without this access, patients are at risk for incorrect treatments, inaccurate health records, and lack of understanding of their health conditions. It is unacceptable for a health care provider to delay or deny requests to release medical records for months, and we are calling on providers everywhere to be compliant to help empower patients.” 

    In April 2019, a complaint was filed with OCR alleging that Phoenix Healthcare would not provide a daughter, who serves as a personal representative, with a copy of her mother’s medical records. After attempt at technical assistance and attempts to get the records by OCR, Phoenix Healthcare sent the requested records on January 30, 2020, 323 days after the request.

    A copy of the Settlement Agreement may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/phoenix-healthcare/index.html.

    The regulations under HIPAA recognize the importance of providing individuals with the ability to access and obtain a copy of their health information. To learn more about your rights under the HIPAA Right of Access provision, view OCR’s guidance at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Finalizes New Provisions to Enhance Integrated Care and Confidentiality for Patients with Substance Use Conditions

    8 Feb 2024 9:33 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services, through its Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), finalized modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of patients’ SUD treatment records. Specifically, today’s final rule increases coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

    Today’s rule was informed by the bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) that, among other things, required HHS to bring the Part 2 program into closer alignment with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Breach Notification, and Enforcement Rules.

    “Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

    “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

    “One of SAMHSA’s priorities is working to make effective treatments and recovery supports for SUD more accessible to all Americans,” said Miriam E. Delphin-Rittmon, Ph.D., the HHS Assistant Secretary for Mental Health and Substance Use and the leader of SAMHSA. “The Final Rule supports access to care and treatment and mitigates the discrimination and stigmatization that we know too often people with SUD experience while continuing to apply stringent privacy protections.”

    The final rule includes the following modifications to Part 2:

    • Permits use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations.
    • Permits redisclosure of Part 2 records by HIPAA covered entities and business associates in accordance with the HIPAA Privacy Rule, with certain exceptions.
    • Provides new rights for patients under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
    • Expands prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
    • Provides HHS enforcement authority, including the potential imposition of civil money penalties for violations of Part 2.
    • Outlines new breach notification requirements applying to Part 2 records.

    Reference

    HIPAA News Releases & Bulletins

  • HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million

    6 Feb 2024 9:35 AM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a non-profit hospital system based in New York City for several potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. OCR is responsible for administering and enforcing health information privacy, including enforcement of the HIPAA Privacy, Security, and Breach Notification Rules for the health care sector. OCR plays a unique role in serving as the agency at HHS that enforces federal civil rights, privacy and security laws in health care.  HIPAA requires that health care providers, insurers and others take steps to protect the privacy and security of patients’ protected health information. The $4.75 million monetary settlement and corrective action resolves multiple potential failures by Montefiore Medical Center relating to data security failures by Montefiore that led to an employee stealing and selling patients’ protected health information over a six-month period.

    “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls.

    Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

    The action is the latest step by HHS who released a Department-wide Cybersecurity strategy for the health care sector in December of 2023, and released voluntary performance goals to enhance cybersecurity across the health sector just last week.

    “Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” said HHS Deputy Secretary Andrea Palm. “Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”

    In May 2015, the New York Police Department informed Montefiore Medical Center that there was evidence of theft of a specific patient’s medical information. The incident prompted Montefiore Medical Center to conduct an internal investigation. It discovered that two years prior, one of their employees stole the electronic protected health information of 12,517 patients and sold the information to an identity theft ring. Montefiore Medical Center filed a breach report with OCR.

    OCR’s investigation revealed multiple potential violations of the HIPAA Security Rule, including failures by Montefiore Medical Center to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information. Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later.

    Under the terms of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan that identifies certain steps toward protecting and securing the security of protected health information. These actions include:

    • Conducting an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information;
    • Developing a written risk management plan to address and mitigate security risks and vulnerabilities identified in the Risk Analysis;
    • Developing a plan to implement hardware, software, and/or other procedural mechanisms that record and examine activity in all information systems that contain or use electronic protected health information;
    • Reviewing and revising, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules; and
    • Providing training to its workforce on HIPAA policies and procedures.

    OCR will monitor Montefiore Medical Center for two years to ensure compliance with the law.

    In OCR’s breach reports, over 134 million individuals have been affected by large breaches in 2023, whereas 55 million were affected in 2022. OCR recommends that health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA must implement safeguards to mitigate or prevent cyber threats. These include:

    • Reviewing all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident reporting obligations.
    • Integrating risk analysis and risk management into business processes; and ensuring that they are conducted regularly, especially when new technologies and business operations are planned. Ensuring audit controls are in place to record and examine information system activity.
    • Implementing regular review of information system activity.
    • Utilizing multi-factor authentication to ensure only authorized users are accessing protected health information.
    • Encrypting protected health information to guard against unauthorized access.
    • Incorporating lessons learned from previous incidents into the overall security management process.
    • Providing training specific to organization and job responsibilities and on regular basis; and reinforcing workforce members’ critical role in protecting privacy and security.

    Reference

    HIPAA News Releases & Bulletins


  • HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter

    20 Nov 2023 12:44 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Saint Joseph’s Medical Center for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. Saint Joseph’s Medical Center is a non-profit academic medical center in New York that provides a full range of health care services. The settlement involved the impermissible disclosure of COVID-19 patients’ protected health information to a national media outlet.

    “When receiving medical care in hospitals and emergency rooms, patients should not have to worry that providers may disclose their health information to the media without their authorization,” said OCR Director Melanie Fontes Rainer. “Providers must be vigilant about patient privacy and take necessary steps to protect it and follow the law. The Office for Civil Rights will continue to take enforcement actions that puts patient privacy first.”

    OCR investigated Saint Joseph’s Medical Center after the Associated Press published an article about the medical center’s response to the COVID-19 public health emergency, which included photographs and information about the facility’s patients. These images were distributed nationally, exposing protected health information including patients’ COVID-19 diagnoses, current medical statuses and medical prognoses, vital signs, and treatment plans.

    OCR determined that Saint Joseph’s Medical Center disclosed three patients’ protected health information to the Associated Press without first obtaining written authorization from the patients, therefore potentially violating the HIPAA Privacy Rule. Under the HIPAA Privacy Rule, a covered entity (including a health care provider), may not use or disclose protected health information, except either:

    • As the HIPAA Privacy Rule permits or requires; or
    • The individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

    Therefore, regulated entities cannot disclose a patient’s protected health information to the media without first obtaining written authorization from the patient permitting the entity to do so. This includes when health care providers have print or television reporters on the premise.

    Saint Joseph’s Medical Center paid $80,000 to OCR and agreed to implement a corrective action plan requiring the facility to develop written policies and procedures that comply with the HIPAA Privacy Rule. Saint Joseph’s Medical Center also agreed to train its workforce on the revised policies and procedures. Under this agreement, OCR will monitor St. Joseph’s Medical Center for two years to ensure compliance under the plan and with the law.

    Reference

    HIPAA News Releases & Bulletins


  • HHS’ Office for Civil Rights Settles Ransomware Cyber-Attack Investigation with Doctors’ Management Services

    31 Oct 2023 10:20 AM | Zachary Edgar (Administrator)

    OCR Settles with Business Associate in attack affecting over 200,000 individuals.

    Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement under the Health Insurance Portability and Accountability Act (HIPAA) with Doctors’ Management Services, a Massachusetts medical management company that provides a variety of services, including medical billing and payor credentialing. The HIPAA Privacy, Security, and Breach Notification Rules set forth the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. The $100,000 settlement resolves a large breach report regarding a ransomware attack that affected the electronic protected health information of 206,695 individuals. Ransomware is a type of malware (malicious software) designed to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. This marks the first ransomware agreement OCR has reached.

    October is Cybersecurity Awareness Month, and OCR has been working with health insurers, providers, and clearinghouses covered by HIPAA to ensure better data security. Ransomware and hacking are the primary cyber-threats in health care. In the past four years, there has been a 239% increase in large breaches reported to OCR involving hacking and a 278% increase in ransomware. This trend continues in 2023, where hacking accounts for 77% of the large breaches reported to OCR. Additionally, the large breaches reported this year have affected over 88 million individuals, a 60% increase from last year.

    “Our settlement highlights how ransomware attacks are increasingly common and targeting the health care system. This leaves hospitals and their patients vulnerable to data and security breaches.” said OCR Director, Melanie Fontes Rainer. “In this ever-evolving space, it is critical that our health care system take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly review risks, records, and update policies. These practices should happen regularly across an enterprise to prevent future attacks.”

    On April 22, 2019, Doctors’ Management Services filed a breach report with HHS stating that approximately 206,695 individuals were affected when their network server was infected with GandCrab ransomware. The initial unauthorized access to the network occurred on April 1, 2017; however, Doctors’ Management Services did not detect the intrusion until December 24, 2018, after ransomware was used to encrypt their files. In April 2019, OCR began its investigation.

    OCR’s investigation found evidence of potential failures by Doctors’ Management Services to have in place an analysis to determine the potential risks and vulnerabilities to electronic protected health information across the organization. Other findings included insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, and a lack of policies and procedures in place to implement the requirements of the HIPAA Security Rule to protect the confidentiality, integrity, and availability of electronic protected health information.

    Under the terms of the settlement agreement, OCR will monitor Doctors’ Management Services for three years to ensure compliance with HIPAA. In addition, Doctors’ Management Services has agreed to pay $100,000 to OCR and to implement a corrective action plan, which identifies steps that Doctors’ Management Services will take to resolve potential violations of the HIPAA Privacy and Security Rules and protect the security of electronic protected health information, including:

    • Review and update its Risk Analysis to identify the potential risks and vulnerabilities to Doctor’s Management Services data to protect the confidentiality, integrity, and availability of electronic protected health information.
    • Update its enterprise-wide Risk Management Plan (strategy to protect the confidentiality, integrity, and availability of ePHI) to address and mitigate any security risks and vulnerabilities found in the updated Risk Analysis.
    • Review and revise, if necessary, its written policies and procedures to comply with the Privacy and Security Rules.
    • Provide workforce training on HIPAA policies and procedures.

    OCR recommends health care providers, health plans, clearinghouses, and business associates that are covered by HIPAA take the following best practices to mitigate or prevent cyber-threats:

    • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations.
    • Risk analysis and risk management should be integrated into business processes; conducted regularly and when new technologies and business operations are planned.
    • Ensure audit controls are in place to record and examine information system activity.
    • Implement regular review of information system activity.
    • Utilize multi-factor authentication to ensure only authorized users are accessing ePHI.
    • Encrypt ePHI to guard against unauthorized access to ePHI.
    • Incorporate lessons learned from incidents into the overall security management process.
    • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security.

    Reference

    HIPAA News Releases & Bulletins


  • October 2023 OCR Cybersecurity Newsletter: How Sanction Policies Can Support HIPAA Compliance

    19 Oct 2023 10:19 AM | Zachary Edgar (Administrator)

    Last year, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief on the different types of social engineering1 that hackers use to gain access to healthcare information systems and data. The threat brief recommended several protective measures to combat social engineering, one of which was holding “every department accountable for security.” An organization’s sanction policies can be an important tool for supporting accountability and improving cybersecurity and data protection. Sanction policies can be used to address the intentional actions of malicious insiders, such as the stealing of data by identity-theft rings, as well as workforce member failures to comply with policies and procedures, such as failing to secure data on a network server or investigate a potential security incident.

    The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) require covered entities and business associates (“regulated entities”) to ensure that workforce members comply with the HIPAA Rules. Regulated entities are responsible for protecting the privacy and security of protected health information (PHI)4 by training their workforce, adopting written policies and procedures, and sanctioning workforce members who violate those policies and procedures. 

    Sanction policies are specifically required by both the Privacy Rule and the Security Rule:

    • The Privacy Rule requires covered entities6 to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule] of this part.”7
    • The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.”

    The Functions of a Sanction Policy

    Sanction policies can improve a regulated entity’s compliance with the HIPAA Rules.  Imposing consequences on workforce members who violate a regulated entity’s policies or the HIPAA Rules can be effective in creating a culture of HIPAA compliance and improved cybersecurity because of the knowledge that there is “a negative consequence to noncompliance enhances the likelihood of compliance.” Training workforce members on a regulated entity’s sanction policy can also promote compliance and greater cybersecurity vigilance by informing workforce members in advance which “actions are prohibited and punishable.” A sanction policy that clearly communicates a regulated entity’s expectations should ensure that workforce members understand their individual compliance obligations and consequences of noncompliance. 

    Content: What Should a Sanction Policy Look Like?

    Because HIPAA regulated entities “are so varied in terms of installed technology, size, resources, and relative risk,” the HIPAA Rules allow for a flexibility of approach to achieve compliance. This flexibility of approach also extends to sanction policies: the Privacy Rule preamble states that “we leave the details of sanction policies to the discretion of the covered entity . . . [that] will be familiar with the circumstances of the violation . . . .” Similarly, the Security Rule preamble states that regulated entities “have the flexibility to implement the standard in a manner consistent with numerous factors, including such things as, but not limited to, their size, degree of risk, and environment.”

    The HIPAA Rules do not require regulated entities to impose any specific penalty for any individual violation, or to implement any particular sanction methodology. Rather, in any individual case “[t]he type and severity of sanctions imposed, and for what causes, must be determined by each covered entity [or business associate] based upon its security policy and the relative severity of the violation.” Regulated entities may structure their sanction policies in the manner most suitable to their organization.

    Regulated entities may want to consider the following when drafting or revising their sanction policies: 

    • Documenting or implementing sanction policies pursuant to a formal process.
    • Requiring workforce members to affirmatively acknowledge that a violation of the organization’s HIPAA policies or procedures may result in sanctions.
    • Documenting the sanction process, including the personnel involved, the procedural steps, the time-period, the reason for the sanction(s), and the final outcome of an investigation. NOTE: These records should be retained for at least six years.
    • Creating sanctions that are “appropriate to the nature of the violation.”
    • Creating sanctions that “vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information.”
    • Creating sanctions that “range from a warning to termination.”
    • Providing examples “of potential violations of policy and procedures.”

    By making these considerations, regulated entities can craft a thoughtful and well-documented sanction policy that informs workforce members of the regulated entity’s expectations, deters misconduct, and promotes HIPAA compliance through greater understanding and transparency of the policies and procedures that protect the privacy and security of PHI.    

    Execution: Sanctioning Consistently

    How a regulated entity implements its sanction policy is just as important as the policy’s content. It is important for a regulated entity to consider whether its sanction policies align with its general disciplinary policies, and how the individuals or departments involved in the sanction processes can work in concert, when appropriate. Regulated entities may also want to consider how sanction policies can be fairly and consistently applied throughout the organization, to all workforce members, including management. Indeed, sanctioning workforce members inconsistently can undermine the integrity of a regulated entity’s compliance program.

    In 2017 and 2018, OCR resolved two investigations with regulated entities that potentially violated the HIPAA Rules sanctions requirements. In the first case, OCR found evidence that the regulated entity potentially “impermissibly disclosed the patient’s PHI through press releases issued to fifteen media outlets and/or reporters,” and senior leaders disclosed the patient’s PHI to advocacy groups and in a published statement on their website. OCR also found evidence that the regulated entity potentially “failed to document timely the sanctions imposed against members of its workforce who failed to comply with its privacy policies and procedures or the Privacy Rule.” In the second case, OCR found evidence of a potential violation of the sanction requirements when a workforce member allegedly disclosed PHI to a reporter, and then the regulated entity allegedly failed to apply appropriate sanctions against its Workforce Member who failed to comply with the entity's privacy policies and procedures and the Privacy Rule.”

    Conclusion

    Sanction policies offer a great opportunity for regulated entities to establish and communicate compliance obligations and expectations to their workforce members. The deterrent effect of penalizing noncompliance and misconduct paired with clear communications about the consequences of noncompliance can promote greater compliance with the HIPAA Rules through accountability, understanding, and transparency. At a time when the need for constant vigilance to protect ePHI is at an all-time high due to hacking and other threats to the privacy and security of health information, regulated entities should make sure that their policies and practices include sanction policies that hold all workforce members accountable for noncompliance with the HIPAA Rules.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations

    11 Sep 2023 10:17 AM | Zachary Edgar (Administrator)

    LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with LA Care, the nation's largest publicly operated health plan that provides health care benefits and coverage through state, federal, and commercial programs. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules that set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of protected health information (PHI).  The settlement concludes two OCR investigations initiated from a large breach report and a media article regarding a separate security incident.  Under the agreement, LA Care agreed to pay $1,300,000 and to implement a corrective action plan, discussed in further detail below, which identifies steps LA Care will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic protected health information (ePHI). 

    “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules,” said OCR Director Melanie Fontes Rainer.  “HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.  Entities such as LA Care must protect the health information of its insureds while providing health care for the most vulnerable residents of Los Angeles County through its coverage, which includes Medicaid, Medicare, and Affordable Care Act health plans.”

    The potential violations in this case included:

    • Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to ePHI across the organization,
    • Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level,
    • Failure to implement sufficient procedures to regularly review records of information system activity,
    • Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI, and
    • Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

    OCR’s investigation found evidence of potential noncompliance with the HIPAA Privacy and Security Rules across LA Care’s organization, a serious concern given the size of this covered entity.   In addition to the monetary settlement, LA Care has agreed to take the following steps under a comprehensive corrective action plan that will be monitored for three years by OCR to ensure compliance with HIPAA:

    • Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
    • Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
    • Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
    • Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
    • Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.

    Reference

    HIPAA News Releases & Bulletins

<< First  < Prev   1   2   3   4   5   Next >  Last >> 

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More 

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software