Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search
Log in
Forgot password

HIPAA Blog and Updates

Welcome to out HIPAA blog.  Here we post news, articles, and site updates on HIPAA.  

  • HHS' Office for Civil Rights Seeks Public Comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements Under the HITECH Act

    6 Apr 2022 9:57 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) today released a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021.  The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI).  This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

    “This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

    Through today’s RFI, OCR is seeking public comment on the following provisions of law:

    • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

      One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

      The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

      Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

      The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

    OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

    Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health


  • Four HIPAA enforcement actions hold healthcare providers accountable with compliance

    28 Mar 2022 9:57 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations and one matter before an Administration Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to twenty-seven since the initiative began. OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The other enforcement actions result from healthcare providers impermissibly disclosing their patients’ protected health information (PHI).  OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational Right of Access provision:


  • Improving the Cybersecurity Posture of Healthcare in 2022

    28 Feb 2022 9:56 AM | Zachary Edgar (Administrator)

    Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline.  For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.  More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled. And at the end of December, a critical vulnerability in a widely used Java-based software known as “Log4j” grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes.  Such unpatched vulnerabilities give hackers easy access to an organization’s computer server, and possible entry into other parts of a network. These reports underscore why it is so important for health care to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.

    All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope.  You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.

    If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so.  Some best practices include:

    • Maintaining offline, encrypted backups of data and regularly test your backups;
    • Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
    • Regular patches and updates of software and Operating Systems; and
    • Training your employees regarding phishing and other common IT attacks.

    Good cyber hygiene habits help keep your network healthy and protect the ePHI on your systems.  OCR is here to help with guidance and resources:


  • HHS Issues Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders

    20 Dec 2021 9:55 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services' (HHS) through its Office for Civil Rights (OCR) is issuing guidance to help clarify how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits covered health care providers to disclose protected health information to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.  This guidance helps implement the U.S. Department of Justice's model extreme risk protection order legislation that provides a framework for states to consider in creating laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives.  These orders can be an important step toward improving the public's safety by helping to prevent firearm injuries and deaths.

    The guidance issued today by OCR provides new guidance to support an extreme risk protection order on how HIPAA allows covered health care providers to disclose protected health information about an individual, without the individual's authorization. The guidance includes specific examples for each permission.

    "Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," said HHS Secretary Xavier Becerra. "Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms."

    "HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," said OCR Director Lisa J. Pino. "Today's guidance helps clarify legal requirements and to better support individuals in crisis."

    The Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html.


  • OCR Issues Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace

    30 Sep 2021 2:59 PM | Zachary Edgar (Administrator)

    Today, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) issued guidance to help the public understand when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine.

    The guidance reminds the public that the HIPAA Privacy Rule does not apply to employers or employment records. This is because the HIPAA Privacy Rule only applies to HIPAA covered entities (health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions), and, in some cases, to their business associates.

    Today's guidance addresses common workplace scenarios and answers questions about whether and how the HIPAA Privacy Rule applies. This information will be helpful to the public as we continue to navigate the COVID-19 pandemic.

    "We are issuing this guidance to help consumers, businesses, and health care entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," said OCR Director Lisa Pino.

    The Guidance on HIPAA, COVID-19 Vaccinations, and the Workplace may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html.

  • OCR Resolves Twentieth Investigation in HIPAA Right of Access Initiative with $80,000 Settlement

    10 Sep 2021 3:00 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces the resolution of its twentieth investigation in its HIPAA Right of Access Initiative.  OCR created this initiative to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.  Children’s Hospital & Medical Center (CHMC) has agreed to take corrective actions and pay $80,000 to settle a potential violation of the HIPAA Privacy Rule’s right of access standard.  CHMC is located in Omaha, Nebraska, and provides pediatric health care services.

  • OCR Settles Nineteenth Investigation in HIPAA Right of Access Initiative

    2 Jun 2021 3:02 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has announced its nineteenth settlement of an enforcement action in its HIPAA Right of Access Initiative, which supports individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The Diabetes, Endocrinology & Lipidology Center, Inc. (“DELC”) has agreed to take corrective actions and pay $5,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. DELC is a West Virginia based healthcare provider that provides treatment for Endocrine disorders.

  • Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations

    25 May 2021 3:03 PM | Zachary Edgar (Administrator)

    Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories (Peachstate), has agreed to pay $25,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  Peachstate is based in Georgia and is certified under the Clinical Laboratory Improvement Amendments of 1988 (CLIA).  Peachstate provides diagnostic and laboratory-developed tests, including clinical and genetic testing services.

  • OCR Settles Eighteenth Investigation in HIPAA Right of Access Initiative

    26 Mar 2021 3:04 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its eighteenth settlement of an enforcement action in its HIPAA Right of Access Initiative. OCR announced this initiative to support individuals' right to timely access of their health records at a reasonable cost under the HIPAA Privacy Rule. Village Plastic Surgery ("VPS") has agreed to take corrective actions and pay $30,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. VPS is located in New Jersey and provides cosmetic plastic surgery services.

  • OCR Settles Seventeenth Investigation in HIPAA Right of Access Initiative

    24 Mar 2021 3:05 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its seventeenth settlement of an enforcement action in its HIPAA Right of Access Initiative.  OCR announced this initiative to support individuals' right to timely access to their health records at a reasonable cost under the HIPAA Privacy Rule.

    The Arbour, Inc., doing business as Arbour Hospital ("Arbour"), has agreed to take corrective actions and pay $65,000 to settle a potential violation of the HIPAA Privacy Rule's right of access standard. Arbour is located in Massachusetts and provides behavioral health services.

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More 

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software