Data is rapidly becoming one of the most valuable assets in the healthcare market, putting digital health companies that collect and process large amounts of personal data at higher risk than many other types of businesses. If you have a healthcare business, then you’ll want to keep reading…
Read MoreHIPAA Critical: Episode 10 | COVID-19’s HIPAA Impact, Increased Risk From Remote Work, Interview with Carrie Nixon
Read MoreGeneral Data Protection Regulation (GDPR) preparedness should be a priority and we will review the steps you need to take to make sure you’re in compliance. Though the GDPR comes from the European Union, businesses everywhere should apply GDPR principles in practice.
Read MoreNew technologies in healthcare means new risk to the security and privacy of patient health data. Though most healthcare companies and providers are aware of the need for internal data security, many may not be in compliance when sharing information with third parties. As providers and vendors find new and innovative ways to work together, the need for data sharing will only increase. It is critically important that all parties know when and how protected health information (PHI) is shared, and when patient authorization is required to do so.
Read MoreIn October, The Health and Human Services Office for Civil Rights (OCR) shared that future health-care privacy and security audits will shift from an educational focus to an enforcement focus. Previously, OCR performed these audits to educate providers on patient privacy and HIPAA. But now, the priority is enforcement. Instead of relying on complaints and breach notifications, the OCR will be more proactive in identifying problem providers. It’s important for all healthcare provider entities to have a HIPAA compliance plan actively in use. (We can help!)
Read MoreAs all health care providers know, the HIPAA Privacy Rule applies to their practice. But because many providers outsource some of their health care activities and/or functions, the HIPAA Privacy Rule also applies to these “business associates".” It is important that providers have assurances in writing that all business associates are appropriately safeguarding patient information and following all HIPAA provisions. The HHS Office for Civil Rights has issued a new fact sheet that lays out all provisions where the business associate would be held directly liable for HIPAA Rule violations.
Read MoreOn May 25, 2018, European law officially enforced the General Data Protection Regulation (GDPR). The GDPR was created to protect the personal data of EU citizens. This article examines two GDPR-compliant encryption methods in this article: standard encryption and pseudonymization.
Read MoreHealthcare has now surpassed nuclear power and financial services as the most highly regulated industry in the U.S. - and for good reason. The health, safety, and privacy of individual patients and the public at large is at stake.
For better or for worse, there exists a complex web of local, state, and federal laws and regulations that govern the businesses of healthcare providers and healthcare companies - from patient safety and privacy protections, to corporate transactions and contractual relationships. Navigating this complicated landscape requires a deep understanding of the risks and opportunities inherent in the healthcare industry—namely, it requires an experienced healthcare attorney.
Read MoreThis article discusses how you can lower your risk through email encryption, thereby saving your healthcare practice or organization from an expensive data breach. Email encryption can help your organization protect against the most common form of data breach and better comply with HIPAA standards.
Read MoreBeginning on May 25, 2018, HIPAA won’t be the only healthcare data security standard with which U.S. companies have to comply. Medical practices, digital healthcare companies, and vendors (e.g., electronic health records companies, medical billing companies, and cloud services companies) that do business in the healthcare sector and collect data from European citizens will be required to comply with the new EU General Data Protection Regulation (the “GDPR”). A recent Reuters article called the implementation of these regulations “the biggest overhaul of online privacy since the birth of the internet.”
Read MoreEarlier this year, a federally qualified health center, Metro Community Provider Network (“MCPN”) paid a $400,000 HIPAA breach penalty related to a 2011 phishing attack. In this attack, several MCPN employees had their email accounts hacked by a phisher who was able to gain access to about 3,200 individuals’ PHI.
Read MoreCaitlin Riccobono, Esq., Counsel at Nixon Law Group, develops these routine “Partners Pointers” for the Virginia-based healthcare organization Partners in Healthcare.
Topic: Business Associates of Business Associates
I was asked to address two main questions regarding a Business Associate that is a subcontractor of another Business Associate (we will call this a “Sub-BA”). First, to what extent is a Sub-BA permitted access to PHI? Second, what are the Sub-BA’s obligations with respect to safeguarding PHI?
Read MoreWe often advise our clients that one of the criteria separating a “high risk” breach from a “low risk” breach is whether the breach affects more or fewer than 500 individuals. This is because the HHS Office of Civil Rights (which is the HIPAA enforcement arm of HHS) has historically prioritized investigation of and corrective action following breaches affecting in excess of 500 individuals—OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals. However, OCR recently announced that it would be teaming up with its regional office staff to more widely investigate HIPAA breaches affecting fewer than 500 individuals—sending a strong signal to covered entities and business associates that no one is “safe” from repercussions emanating from a HIPAA breach.
Read MoreDespite the risk of experiencing a HIPAA breach exceeding 89%, fewer than half of healthcare organizations have formal incident response plans and procedures. When an actual or suspected breach occurs, it is vital for covered entities and business associates to have a simple, streamlined, and expeditious plan to respond. These breaches can be anything from a lost thumb drive or laptop to a sophisticated cyber-attack, but a good breach response plan will be flexible enough to work in a variety of circumstances. There are standard responses that the Department of Health and Human Services’ (HHS) Office of Civil Rights (the government entity that polices HIPAA compliance) (OCR) expects to see when health data has been compromised. These include protocols for investigation, mitigation, and notification of affected individuals.
Read MoreHealthcare providers in today's environment are dependent upon health information technology like electronic health records, cloud-based billing and practice management solutions, and mobile devices like laptops and iPads to run their practices. The reliability and security of this technology is key to both operations and compliance. However, physicians aren't IT professionals, and practice managers are security specialists. So how do they manage compliance risks without cutting into resources needed to provide patient care? On Tuesday, April 26, 2016, Rebecca E. Gwilt, Esq. and Joan Kassell, MLIS, CPIA will meet with Virginia practitioners to discuss what the data shows are the most common sources of health data breaches and OCR settlements. The data reveals that there are a few simple steps any physician can take to protect their practice and patients and to begin to build a robust compliance program. Topics will include (1) realistic threats to healthcare practices, (2) breaches in the real world and what they tell us, and (3) reducing the likelihood a breach will bury your practice.
Read MoreThere is still time to protect your company or practice. In preparation for potential OCR audits, health care providers and health technology companies should conduct an internal audit of their compliance with State and Federal privacy and security rules, including HIPAA, and begin to address any shortfalls. OCR's increased budget and strategic plans related to HIPAA enforcement should remind the healthcare community of the growing commitment of the Federal Government to strictly enforce its privacy and security protections. Contact your healthcare attorney for advice on how to address your compliance posture.
Read MoreOn February 5, the Secretary of Health and Human Services, Sylvia Burwell, announced a proposed rule that would update privacy rules regarding substance abuse records--for the first time since 1987. This proposed rule has the potential to ease barriers to streamlined and efficient exchange of patient information across the care spectrum.
Read MoreHealth IT vendors are under incredible pressure to represent to customers that their hardware and software solutions are impervious to cyber threats. Pick any major trade show and the first line you'll hear from exhibitors is that their solution is HIPAA-compatible, and, even more misleading, HIPAA-compliant. It's important that vendors understand overstating security protocols and capabilities can have major legal and financial implications.
Read MoreOn January 6, 2016, in a dramatic national press conference, President Obama announced several actions by his administration to address gun violence in the US. One of these actions is a long-planned modification to the Health Insurance Portability and Accountability Act (HIPAA). The same day, the Department of Health and Human Services (HHS) published a Final Rule adding a permitted disclosure to the HIPAA Privacy Rule, which expressly permits a limited number of Covered Entities to disclose protected health information (PHI) of certain individuals to the National Instant Criminal Background Check System (NICS). The modification is aimed at removing one barrier to expanding the quality of the information in NICS, which is used by firearms vendors to disqualify potential purchasers who are federally barred from owning firearms.
Read More