Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search
Log in
Forgot password

HIPAA Blog and Updates

Welcome to out HIPAA blog.  Here we post news, articles, and site updates on HIPAA.  

  • HHS Office for Civil Rights Enters Into $15,000 Settlement Resolving Potential HIPAA Violation Under the Right of Access Initiative

    8 May 2023 12:16 PM | Zachary Edgar (Administrator)

    OCR has announced a settlement with David Mente, MA, LPC (“Mente”), a licensed counselor providing psychotherapy services in Pittsburgh, Pennsylvania, concerning a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's right of access provision. The rule requires that patients be able to access their health information in a timely manner. This investigation marks the 44th case to be resolved under OCR’s HIPAA Right of Access Initiative, designed to improve compliance by regulated entities with the law.  Under the resolution agreement (RA), Mente must respond to the right of access request without delay, implement a corrective action plan (CAP) to be in compliance with the HIPAA Privacy Rule and pay a resolution amount of $15,000:

    Reference

    HIPAA News Releases & Bulletins


  • HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion

    11 Apr 2023 12:11 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announces that the Notifications of Enforcement Discretion issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency will expire at 11:59 pm on May 11, 2023, due to the expiration of the COVID-19 public health emergency.

    “OCR exercised HIPAA enforcement discretion throughout the COVID-19 public health emergency to support the health care sector and the public in responding to this pandemic,” said Melanie Fontes Rainer, OCR Director. “OCR is continuing to support the use of telehealth after the public health emergency by providing a transition period for health care providers to make any changes to their operations that are needed to provide telehealth in a private and secure manner in compliance with the HIPAA Rules.”

    In 2020 and 2021, OCR published four Notifications of Enforcement Discretion in the Federal Register regarding how the Privacy, Security, Breach Notification, and Enforcement Rules (“HIPAA Rules”) would be applied to certain violations during the COVID-19 nationwide public health emergency. These Notifications and the effective beginning and end dates are:

    OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.

    The Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency may be found at: https://public-inspection.federalregister.gov/2023-07824.pdf - PDF.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking

    2 Feb 2023 12:04 PM | Zachary Edgar (Administrator)

    Banner Health pays $1.25 million to settle cybersecurity breach that affected nearly 3 million people

    OCR has announced a settlement with Banner Health Affiliated Covered Entities (“Banner Health”), a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers. The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically. As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information:

    Read the HHS Press Release

    Read the Resolution Agreement and Correction Action Plan

    Reference

    HIPAA News Releases & Bulletins


  • HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information

    1 Dec 2022 12:03 PM | Zachary Edgar (Administrator)

    Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies.  These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.

    Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules.  The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI.  Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

    Today’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules.  Specifically, the Bulletin provides insight and examples of:

    • Tracking on webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies

    “Providers, health plans, and HIPAA-regulated entities, including technology platforms, must follow the law.  This means considering the risks to patients’ health information when using tracking technologies,” said OCR Director Melanie Fontes Rainer. “Our Bulletin answers questions for those using tracking technologies, importantly how to protect the privacy and security of the health information they hold.”

    Read the Bulletin here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html

    Reference

    HIPAA News Releases & Bulletins


  • OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

    20 Sep 2022 12:00 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access to their medical records. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

    Reference

    HIPAA News Releases & Bulletins

  • OCR Settles Case Concerning Improper Disposal of Protected Health Information

    23 Aug 2022 9:29 AM | Zachary Edgar (Administrator)

    OCR announced a settlement with New England Dermatology P.C., d/b/a a New England Dermatology and Laser Center (“NDELC”), over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation. NEDLC is located in Massachusetts and provides dermatology services.

    Reference

    HIPAA News Releases & Bulletins

  • Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA

    15 Jul 2022 9:20 AM | Zachary Edgar (Administrator)

    Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began.  OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

    Reference

    HIPAA News Releases & Bulletins


  • Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach

    14 Jul 2022 12:59 PM | Zachary Edgar (Administrator)

    Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university which provides preventive, rehabilitative, and diagnostic care in Oklahoma.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe

    29 Jun 2022 12:46 PM | Zachary Edgar (Administrator)

    On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care. Today, in direct response, the HHS Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers.

    In general, the guidance does two things:

    1. Addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
    2. Addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

    According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care.

    “How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

    This guidance addresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:

    • Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
    • Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

    OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:

    • Explains how to turn off the location services on Apple and Android devices.
    • Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.

    The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

    The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

    Reference

    HIPAA News Releases & Bulletins

  • HHS Issues Guidance on HIPAA and Audio-Only Telehealth

    13 Jun 2022 9:59 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.

    This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.

    While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.

    “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

    The Guidance on How the HIPAA Rules Permit Health Plans and Covered Health Care Providers to Use Remote Communication Technologies for Audio-Only Telehealth may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.


About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More 

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software