Upcoming Webinars

Site Updates

Disclaimer

The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Menu
Log in
Forgot password


Search
Log in
Forgot password
  • Home
  • HIPAA
  • HIPAA Compliance Updates and Information

HIPAA Compliance Updates

Welcome to out HIPAA compliance updates and news.  Here we post news, articles, and site updates on HIPAA.  

<< First  < Prev   ...   2   3   4   5   6   Next >  Last >> 

  • OCR Settles Fourteenth Investigation in HIPAA Right of Access Initiative

    12 Jan 2021 3:36 PM | Zachary Edgar (Administrator)

    The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announces its fourteenth settlement of an enforcement action in its HIPAA Right of Access Initiative.  OCR announced this initiative as an enforcement priority in 2019 to support individuals’ right to timely access their health records at a reasonable cost under the HIPAA Privacy Rule. 

    Banner Health, on behalf of the Banner Health affiliated covered entities (Banner Health ACE), has agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA Privacy Rule’s right of access standard.  Banner Health is a non-profit health system based in Phoenix, Arizona. Banner Health operates 30 hospitals and numerous primary care, urgent care, and specialty care facilities and is one of the largest health care systems in the United States.

  • What is the Difference Between “Required” and “Addressable” Specification in the HIPAA Security Rule?

    17 Jul 2019 1:18 PM | Zachary Edgar (Administrator)

    The purpose of the Health Insurance Portability and Accountability (HIPAA) Security Rule is to:

    • Ensure the confidentiality, integrity, and availability of all electronic protected health information that the covered entity (healthcare provider, health plan) or business associate creates, receives, maintains, or transmits;
    • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
    • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Rule; and
    • Ensure compliance of the covered entity’s workforce.  45 C.F.R. §164.306.

    The Security Rule is broken down into five different sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements.  Each one of these sections has multiple “standards” that must be followed by the covered entity.  Many of these “standards” have more detailed implementation specifications which can either be “Required” or “Addressable”. 

    A “required” implementation specification must be implemented by the covered entity.

    An “addressable” implementation specification is more flexible, but it is not optional.  A covered entity must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard for implementation in the covered entity’s environment. In general, after performing the assessment, a covered entity decides if it will:

    • Implement the addressable implementation specification;
    • Implement an equivalent alternative measure that allows the entity to comply with the standard; or
    • Not implement the addressable specification or any alternative measures, if equivalent measures are not reasonable and appropriate within its environment.

    Covered entities must document the assessment and decision made regarding each specification.

    If a given addressable implementation specification is determined to be reasonable and appropriate, the covered entity must consider options for implementing it. The decision regarding which security measures to implement to address the standards and implementation specifications will depend on a variety of factors, including:

    • The entity's risk analysis – What current circumstances leave the entity open to unauthorized access and disclosure of EPHI?
    • The entity’s security analysis - What security measures are already in place or could reasonably be put into place?
    • The entity’s financial analysis - How much will implementation cost?

    Citation

    45 CFR §164.306

    U.S. Department of Health and Human Services, HIPAA Security Series, Security 101 for Covered Entities

    NIST SP 800-66

  • Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach

    22 May 2019 12:06 PM | Zachary Edgar (Administrator)

    Medical Informatics Engineering, Inc. (MIE) has paid $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services, and has agreed take corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

    Read the HHS Press Release


  • Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients' Protected Health Information

    15 May 2019 12:04 PM | Zachary Edgar (Administrator)

    Tennessee diagnostic medical imaging services company pays $3,000,000 to settle breach exposing over 300,000 patients' protected health information – May 6, 2019

    Touchstone Medical Imaging ("Touchstone") has agreed to pay $3,000,000 to OCR, and to adopt a corrective action plan to settle potential violations of the HIPAA Security and Breach Notification Rules. Touchstone, based in Franklin, Tennessee, provides diagnostic medical imaging services in Nebraska, Texas, Colorado, Florida, and Arkansas.

    Read the HHS Press Release


<< First  < Prev   ...   2   3   4   5   6   Next >  Last >> 

About Us

Zachary Edgar JD, LLM is the managing partner for Therapy Comply.  Zachary is a healthcare attorney that specializes in federal and state healthcare regulatory issues particularly for physical, occupational, and speech therapy practices.  

Learn More 

Join Us

Join today as a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us


Powered by Wild Apricot Membership Software