DoE Considers HIPAA Privacy Standards for FERPA to Close Rape Disclosure Loophole
On March 8, 2014, three players from the University of Oregon Ducks basketball team are alleged to have repeatedly gang raped a freshman student at the University. In December last year, the University director’s assistant was ordered to hand over the entire case file of the student to the university’s legal office. The file contained confidential health information protected under the Family Educational Rights and Privacy Act (FERPA) which included counseling records for the student. Many privacy advocates and student bodies consider this to be a massive invasion of privacy, as no consent was obtained from the student prior to the disclosure of the records. Record Disclosure Sparks Fierce Debate The incident has sparked considerable debate. The disclosure has been investigated by both the Oregon State Bar and the Oregon Board of Psychologist Examiners, but under FERPA Rules, the disclosure of data – under the circumstances – was permissible. The nature of the information disclosed is what is particularly worrying. It is hard enough to get victims of rape to come...
HIPAA-Covered Entities in for a Rude Awakening in the Compliance Audits
It has been three years since the OCR completed the pilot phase of HIPAA compliance audits. The OCR discovered numerous violations of all HIPAA Rules when it analyzed the results, and while healthcare data security standards have improved considerably since 2012, many Covered Entities (CEs) would still fail a compliance audit. A new survey recently published by Healthcare Information Security Today (HIST) indicates many Covered Entities (CEs) are making the same compliance mistakes that were uncovered during the pilot phase of audits. The OCR used the results of the pilot phase to develop a protocol for phase two, and the areas that CEs struggled to implement will be specifically tested second time around. A number of healthcare providers could have a rude awakening on what compliance with HIPAA really means. The HIST survey uncovered a surprising level of confidence among covered entities. 80% of respondents said they were confident or somewhat confident of passing a compliance audit. The pilot round of compliance audits identified many areas where organizations were failing to...
Deven McGraw Appointed OCR Deputy Director for Health Information Privacy
Very shortly there will be a new face at the Department of Health and Human Services’ Office for Civil Rights. Privacy Advocate, Deven McGraw, has taken on the role of Deputy Director of Health Information Privacy, and must get the agency auditing, advising and enforcing as it should. She will be filling the role left vacant by Susan McAndrew, who retired last year, and is set to join the OCR on June 29. It Takes Time to Find the Right Candidate The OCR has taken its time to find and appoint a replacement for Susan McAndrew. That wait certainly appears to have paid off. McGraw will bring a wealth of experience to the OCR, having worked in both the public and private sector. She has developed strong strategic leadership skills and has held the posts of Chief Operating Officer at the National Partnership for Women & Families and Director of the Health Privacy Project at the Center for Democracy & Technology. McGraw is no stranger to challenges, and has an extensive working knowledge of the intricacies of healthcare privacy and security laws. She will be able to draw from the...
HIPAA Compliance Deadline for Windows Server 2003 Upgrade Fast Approaches
Microsoft has announced it will be stopping issuing patches and software updates for Windows Server 2003 on July 15, 2015. Any HIPAA-covered entity that is still running the outdated software on any of its servers after this date will be in violation of the HIPAA Security Rule, and could face a financial penalty from the Department of Health and Human Services’ Office for Civil Rights (OCR). Microsoft advises users to upgrade to Windows Server 2012 R2 in order to maintain security standards and receive continued support, upgrades, and patches. Upgrades Must be Planned and Time is Fast Running Out When Microsoft stopped issuing patches for Windows XP, all users had to be moved onto new operating systems; a task that required a considerable amount of planning, a considerable number of man-hours, and a not insignificant financial outlay. While a HIPAA-covered entity will have fewer servers than desktops/laptops, upgrading servers has the potential to cause even more disruption, especially in large organizations operating a number of servers and an even higher number of virtual...
Virginia Senator Calls for Easing of HIPAA Privacy Rules
On Tuesday, a House panel heard Virginia state senator, Creigh Deeds, testify ahead of a meeting to discuss the re-introduced Helping Families in Mental Health Crisis Act. Rep. Tim Murphy & Rep. Eddie Bernice Johnson have re-introduced the bill which, in part, calls for the easing of HIPAA privacy protections under certain circumstances. The representatives’ cause has received backing from Deeds, who is also calling for exceptions to be made to the HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act (HIPAA) severely restricts the disclosure of Protected Health Information (PHI). The Privacy Rule acts in the interests of the patient, but it is argued that for mental health issues there must be more exceptions. Current restrictions on the disclosure of information can prevent patients from receiving the care they need. Proponents of the new bill argue that mental health issues such as bipolar disorder and schizophrenia do not fit the norm, and privacy rules must be applied differently. In some cases, withholding important medical information – such as...



