Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search
Log in
Forgot password
  • Home
  • HIPAA
  • HIPAA Compliance Updates and Information

HIPAA Compliance Updates

Welcome to out HIPAA compliance updates and news.  Here we post news, articles, and site updates on HIPAA.  

  • OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA

    20 Sep 2022 12:00 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's patient right of access to their medical records. These cases are part of a collective effort, bringing the total 41 cases, to drive compliance on right of access under the law. OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Right of Access:

    Reference

    HIPAA News Releases & Bulletins

  • OCR Settles Case Concerning Improper Disposal of Protected Health Information

    23 Aug 2022 9:29 AM | Zachary Edgar (Administrator)

    OCR announced a settlement with New England Dermatology P.C., d/b/a a New England Dermatology and Laser Center (“NDELC”), over the improper disposal of protected health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation. NEDLC is located in Massachusetts and provides dermatology services.

    Reference

    HIPAA News Releases & Bulletins

  • Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA

    15 Jul 2022 9:20 AM | Zachary Edgar (Administrator)

    Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the resolution of eleven investigations in its Health Insurance Portability and Accountability Act (HIPAA) Right of Access Initiative, bringing the total number of these enforcement actions to thirty-eight since the initiative began.  OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule.

    Reference

    HIPAA News Releases & Bulletins


  • Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach

    14 Jul 2022 12:59 PM | Zachary Edgar (Administrator)

    Oklahoma State University – Center for Health Sciences (OSU-CHS) has paid $875,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. OSU-CHS is a public land-grant research university which provides preventive, rehabilitative, and diagnostic care in Oklahoma.

    Reference

    HIPAA News Releases & Bulletins


  • HHS Issues Guidance to Protect Patient Privacy in Wake of Supreme Court Decision on Roe

    29 Jun 2022 12:46 PM | Zachary Edgar (Administrator)

    On the heels of the Supreme Court ruling in Dobbs vs. Jackson Women’s Health Organization, where the right to safe and legal abortion was taken away, President Biden and U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra called on HHS agencies to take action to protect access to sexual and reproductive health care, including abortion, pregnancy complications, and other related care. Today, in direct response, the HHS Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers.

    In general, the guidance does two things:

    1. Addresses how federal law and regulations protect individuals’ private medical information (known as protected health information or PHI) relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and
    2. Addresses the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

    According to recent reports, many patients are concerned that period trackers and other health information apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care.

    “How you access health care should not make you a target for discrimination. HHS stands with patients and providers in protecting HIPAA privacy rights and reproductive health care information,” said HHS Secretary Xavier Becerra. “Anyone who believes their privacy rights have been violated can file a complaint with OCR as we are making this an enforcement priority. Today’s action is part of my commitment to President Biden to protect access to health care, including abortion care and other forms of sexual and reproductive health care.”

    This guidance addresses the circumstances under which the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:

    • Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
    • Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.

    OCR is also issuing information for individuals about protecting the privacy and security of their health information when using their personal cell phone or tablet. This guidance explains that, in most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. This guidance also provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge. This guidance:

    • Explains how to turn off the location services on Apple and Android devices.
    • Identifies best practices for selecting apps, browsers, and search engines that are recognized as supporting increased privacy and security.

    The guidance on the HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

    The guidance on Protecting the Privacy and Security of Your Health Information When Using Your Personal Cell Phone or Tablet may be found at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html.

    Reference

    HIPAA News Releases & Bulletins

  • HHS Issues Guidance on HIPAA and Audio-Only Telehealth

    13 Jun 2022 9:59 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), is issuing guidance on how covered health care providers and health plans can use remote communication technologies to provide audio-only telehealth services when such communications are conducted in a manner that is consistent with the applicable requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth - PDF is no longer in effect.

    This guidance will help individuals to continue to benefit from audio-only telehealth by clarifying how covered entities can provide these services in compliance with the HIPAA Rules and by improving public confidence that covered entities are protecting the privacy and security of their health information.

    While telehealth can significantly expand access to health care, certain populations may have difficulty accessing or be unable to access technologies used for audio-video telehealth because of various factors, including financial resources, limited English proficiency, disability, internet access, availability of sufficient broadband, and cell coverage in the geographic area.  Audio-only telehealth, especially using technologies that do not require broadband availability, can help address the needs of some of these individuals.

    “Audio telehealth is an important tool to reach patients in rural communities, individuals with disabilities, and others seeking the convenience of remote options. This guidance explains how the HIPAA Rules permit health care providers and plans to offer audio telehealth while protecting the privacy and security of individuals’ health information,” said OCR Director Lisa J. Pino.

    The Guidance on How the HIPAA Rules Permit Health Plans and Covered Health Care Providers to Use Remote Communication Technologies for Audio-Only Telehealth may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.


  • HHS' Office for Civil Rights Seeks Public Comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements Under the HITECH Act

    6 Apr 2022 9:57 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) today released a Request for Information (RFI) seeking input from the public on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021.  The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information (ePHI).  This RFI will enable OCR to consider ways to support the healthcare industry’s implementation of recognized security practices. The RFI also will help OCR consider ways to share funds collected through enforcement with individuals who are harmed by violations of the HIPAA Rules.

    “This request for information has long been anticipated, and we look forward to reviewing the input we receive from the public and regulated industry alike on these important topics,” said OCR Director Lisa J. Pino. “I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance.”

    Through today’s RFI, OCR is seeking public comment on the following provisions of law:

    • Recognized Security Practices. Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review, or audit.  Public Law 116-321 went into effect when it was signed into law on January 5, 2021.

      One of the primary goals of this provision is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

      The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

      Civil Money Penalty (CMP) and Settlement Sharing. Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to such offense. Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

      The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

    OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

    Individuals seeking more information about the RFI or how to provide written or electronic comments to OCR should visit the Federal Register to learn more: https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health


  • Four HIPAA enforcement actions hold healthcare providers accountable with compliance

    28 Mar 2022 9:57 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the resolution of three investigations and one matter before an Administration Law Judge related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Two of these cases are part of OCR’s HIPAA Right of Access Initiative, bringing the total number of these enforcement actions to twenty-seven since the initiative began. OCR created this initiative to support individuals' right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. The other enforcement actions result from healthcare providers impermissibly disclosing their patients’ protected health information (PHI).  OCR has taken the following enforcement actions that underscore the importance and necessity of compliance with the HIPAA Rules, including the foundational Right of Access provision:


  • Improving the Cybersecurity Posture of Healthcare in 2022

    28 Feb 2022 9:56 AM | Zachary Edgar (Administrator)

    Cyberattacks grabbed headlines throughout 2021 as hacking and IT incidents affected government agencies, major companies, and even supply chains for essential goods, like gasoline.  For healthcare, this year was even more turbulent as cybercriminals took advantage of hospitals and healthcare systems responding to the Covid-19 pandemic.  More than one health care provider was forced to cancel surgeries, radiology exams, and other services, because their systems, software, and/or networks had been disabled. And at the end of December, a critical vulnerability in a widely used Java-based software known as “Log4j” grabbed headlines with warnings about the potential risks this security flaw could pose for organizations of all sizes.  Such unpatched vulnerabilities give hackers easy access to an organization’s computer server, and possible entry into other parts of a network. These reports underscore why it is so important for health care to be vigilant in their approach to cybersecurity. With these risks in mind, I would like to call on covered entities and business associates to strengthen your organization’s cyber posture in 2022.

    All too often, we see that risk analyses only cover the electronic health record.  I cannot underscore enough the importance of enterprise-wide risk analysis.  Risk management strategies need to be comprehensive in scope.  You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.

    If you haven’t looked at your risk management policies and procedures recently to prevent or mitigate these concerns, now is the time to do so.  Some best practices include:

    • Maintaining offline, encrypted backups of data and regularly test your backups;
    • Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
    • Regular patches and updates of software and Operating Systems; and
    • Training your employees regarding phishing and other common IT attacks.

    Good cyber hygiene habits help keep your network healthy and protect the ePHI on your systems.  OCR is here to help with guidance and resources:


  • HHS Issues Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders

    20 Dec 2021 9:55 AM | Zachary Edgar (Administrator)

    The U.S. Department of Health and Human Services' (HHS) through its Office for Civil Rights (OCR) is issuing guidance to help clarify how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule permits covered health care providers to disclose protected health information to support applications for extreme risk protection orders that temporarily prevent a person in crisis, who poses a danger to themselves or others, from accessing firearms.  This guidance helps implement the U.S. Department of Justice's model extreme risk protection order legislation that provides a framework for states to consider in creating laws allowing law enforcement, concerned family members, or others to seek these orders and to intervene in an effort to save lives.  These orders can be an important step toward improving the public's safety by helping to prevent firearm injuries and deaths.

    The guidance issued today by OCR provides new guidance to support an extreme risk protection order on how HIPAA allows covered health care providers to disclose protected health information about an individual, without the individual's authorization. The guidance includes specific examples for each permission.

    "Too often, communities bear the weight of heartbreaking tragedies caused by the epidemic of gun violence in our country," said HHS Secretary Xavier Becerra. "Today's guidance on HIPAA and Extreme Risk Protection Orders is an important step the Biden-Harris Administration is taking towards protecting communities from gun violence by allowing law enforcement, concerned family members, or others to prevent a person in crisis from accessing fire arms."

    "HIPAA should not be a barrier to communication for law enforcement, concerned family members, health care providers, and others when they see an individual in crisis," said OCR Director Lisa J. Pino. "Today's guidance helps clarify legal requirements and to better support individuals in crisis."

    The Guidance on HIPAA and Disclosures of Protected Health Information for Extreme Risk Protection Orders may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/extreme-risk-protection-orders/index.html.


About Us

Zachary Edgar JD, LLM is the managing partner for Therapy Comply.  Zachary is a healthcare attorney that specializes in federal and state healthcare regulatory issues particularly for physical, occupational, and speech therapy practices.  

Learn More 

Join Us

Join today as a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software