Reader Offer: Free Annual HIPAA Risk Assessment
Jun28

Reader Offer: Free Annual HIPAA Risk Assessment

HIPAA Journal has partnered with The Compliancy Group to offer its readers a free annual HIPAA Risk Assessment.     Covered Entities like medical practices and Business Associates like IT providers are required conduct a HIPAA risk assessment by the 2003 HIPAA Security Rule (45 CFR § 164.308 – Security Management Process) and HITECH Act 2009.

Read More
Video: Why HIPAA Compliance is Important for Healthcare Professionals
Jun28

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives. This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation. Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Jun09

The HIPAA Password Requirements and the Best Way to Comply With Them

It is important that Covered Entities and Business Associates understand the HIPAA password requirements and the best way to comply with them because if a data breach is found to be attributable to a lack of compliance, the penalties could be significant. However, understanding the HIPAA password requirements is not straightforward. HIPAA is intentionally technology-neutral; so whereas Security Standard §164.312(d) stipulates Covered Entities must “implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed”, there is no indication what procedures should be implemented or even that user verification should be password-based. Guidance published by the Department of Health and Human Services suggests there are three ways in which users can verify their identity: With something only known to the user, such as a password or PIN, With something the user possesses, such as a smart card or key, or With something unique to the user, such as a fingerprint or facial image. In addition to the above, a required...

Read More
What is a HIPAA Violation?
Apr18

What is a HIPAA Violation?

To best answer the question what is a HIPAA violation, it is necessary to explain what HIPAA is, who it applies to, and what constitutes a violation; for although most people believe they know what a HIPAA violation is, evidence suggests otherwise. The evidence that there may be a misunderstanding about what a HIPAA violation is comes from the Department of Health and Human Services (HHS) Enforcement Highlights web page. The web page is regularly updated with statistics relating to complaints about HIPAA violations, compliance reviews, and enforcement action. According to the most recent update, the HHS has received almost 300,000 complaints since the compliance date of the Privacy Rule (April 2003). On its behalf, the Office for Civil Rights (OCR) has conducted tens of thousands of compliance reviews or intervened with technical assistance before a review was necessary. However, in more than 200,000 cases, complaints received by HHS have not been reviewed by OCR for reasons such as the entity alleged to have violated HIPAA was not a HIPAA Covered Entity, or the alleged activity...

Read More
How Employees Can Help Prevent HIPAA Violations?
Mar03

How Employees Can Help Prevent HIPAA Violations?

Healthcare organizations and their business associates must comply with the HIPAA Privacy, Security, and Breach Notifications Rules and implement safeguards to prevent HIPAA violations. However, even with controls in place to reduce the risk of HIPAA violations, data breaches still occur. In most industries, it is hackers and other cybercriminals that are responsible for the majority of security breaches, but in healthcare it is insiders. While healthcare organizations can take steps to improve their defenses and implement technologies to identify breaches rapidly when they occur, healthcare employees also need to help prevent HIPAA violations.  Employers can help employees by providing regular HIPAA training. Employees Can Help to Prevent HIPAA Violations Healthcare privacy breaches often occur as a result of carelessness or a lack of understanding of HIPAA Rules. Healthcare organizations should therefore ensure employees receive full training on HIPAA and know the allowable uses and disclosures of PHI and to secure ePHI at all times. Refresher training sessions should also be...

Read More
Who Does HIPAA Apply To?
Feb28

Who Does HIPAA Apply To?

Who Does HIPAA Apply To? Confusion sometimes exists over the question of who does HIPAA apply to because the requirement to protect individually identifiable health information is covered in only a small section of a very substantial Act. Even when this small section is extracted and analyzed, it is still not always clear who does HIPAA apply to and which organizations need to implement HIPAA compliance programs. Does HIPAA Apply to Everybody? The Health Insurance Portability and Accountability Act (PDF) is a substantial body of legislation passed by Congress in 1996. As the title of the Act suggests, it addresses the portability of health insurance and the accountability of group health plans to provide benefits when members of group health plans have pre-existing conditions. In this respect, HIPAA applies to the majority of workers, most health insurance providers, and employers who sponsor or co-sponsor employee health insurance plans. However, HIPAA consists of four further titles covering topics from medical liability reform to taxes on expatriates who give up U.S....

Read More
Webinar: Lessons and Examples from 2021’s HIPAA Breaches and Fines
Feb17

Webinar: Lessons and Examples from 2021’s HIPAA Breaches and Fines

2021 has been a tough year for the healthcare industry with huge numbers of data breaches occurring and vast numbers of healthcare records exposed as hackers stepped up their attacks on healthcare providers and ransomware actors ran riot.  The HHS’ Office for Civil Rights has continued to impose large numbers of fines on covered entities and business associates for noncompliance with the HIPAA Rules, even during the pandemic. The trend for the past year was a major focus on violations of the HIPAA Right of Access, and many of the fines were imposed on smaller healthcare practices. The webinar will cover: The data breaches and fines in 2021 (what caused them, who was affected, etc.) How to protect yourself from suffering a breach or financial penalty in the New Year. Predictions of what will happen in the future and what to look out for You will also get the inside scoop from compliance experts and find out how you can start protecting your business in 2022! Due to popular demand, this January webinar is being run again on February 17, 2022. Lessons and Examples from 2021’s HIPAA...

Read More
What is Considered PHI Under HIPAA?
Jan28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual HIPAA...

Read More
What is Considered PHI Under HIPAA?
Jan28

What is Considered PHI Under HIPAA?

In a healthcare environment, you are likely to hear health information referred to as protected health information or PHI, but what is considered PHI under HIPAA? What is Considered PHI Under HIPAA Rules? Under HIPAA PHI is considered to be any identifiable health information that is used, maintained, stored, or transmitted by a HIPAA-covered entity – a healthcare provider, health plan or health insurer, or a healthcare clearinghouse – or a business associate of a HIPAA-covered entity, in relation to the provision of healthcare or payment for healthcare services. It is not only past and current health information that is considered PHI under HIPAA Rules, but also future information about medical conditions or physical and mental health related to the provision of care or payment for care. PHI is health information in any form, including physical records, electronic records, or spoken information. Therefore, PHI includes health records, health histories, lab test results, and medical bills. Essentially, all health information is considered PHI when it includes individual HIPAA...

Read More
What are the HIPAA Breach Notification Requirements?
Jan04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information (PHI) is discovered. HIPAA training for staff must also include the procedures for reporting breaches of unsecured PHI. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started providing a service to Covered Entities may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted PHI is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty in additional to that impose for the data breach itself. With this in mind, we have compiled a summary of...

Read More
What is HIPAA Certification?
Jan03

What is HIPAA Certification?

HIPAA certification has two meanings. It can either be a point in time accreditation demonstrating an organization has passed a HIPAA compliance audit, or a recognition that members of the organization´s workforce have achieved the level of HIPAA knowledge required to comply with the organization´s policies and procedures. Both are useful accreditations to have. There are two things organizations and their workforces should be aware of before undertaking a HIPAA certification program. There are no requirements in HIPAA for organizations and/or their workforces to certify compliance, and certification is not a “get out of jail free card” that will absolve negligent parties from HIPAA violations. So why get certified? Why Get Certified as being HIPAA Compliant? The first reason for getting certified is that, in order to achieve an accreditation, organizations will have to adopt best privacy practices and implement the administrative, technical, and physical safeguards of the HIPAA Security Rule. This in itself will reduce the likelihood of HIPAA violations and data breaches – leading...

Read More
Is it a HIPAA Violation to Ask for Proof of Vaccine Status?
Dec25

Is it a HIPAA Violation to Ask for Proof of Vaccine Status?

According to several media sources, there appears to be a degree of confusion about the purpose of HIPAA, who it applies to, and whether asking someone if they have had a COVID-19 vaccine constitutes a HIPAA violation. The confusion was highlighted recently when, on May 18, 2021, Rep. Marjorie Taylor Greene, (R-Ga) was asked whether she had been vaccinated, as she had refused to wear a mask on the House floor in breach of House rules. Greene told reporters that asking her about her vaccine status was a HIPAA violation, but this was not correct as HIPAA does not apply in such situations. It is not only Rep. Greene who is unsure about the purpose of HIPAA and who it applies to. Several organizations have also raised concerns that asking employees to provide proof of being vaccinated against COVID-19 in order to avoid wearing a facemask, maintain social distancing, or self-isolate after exposure to an infected person may also be a violation of HIPAA. HIPAA and Its Purpose The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to modernize the flow of...

Read More
Future of HIPAA: Reflections at the 25th Anniversary of HIPAA
Aug21

Future of HIPAA: Reflections at the 25th Anniversary of HIPAA

The Health Insurance Portability and Accountability Act is now 25 years old. How effective has this healthcare law been and what is the future of HIPAA? It is now exactly 25 years to the day since the Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton. On August 21, 1996, when President Clinton added his signature to the legislation, few people would have realized how HIPAA would evolve and grow into the comprehensive national health privacy law that it is today. It is difficult to argue that HIPAA has not been an overall success, but the legislation has attracted a fair amount of criticism over the years, especially due to the considerable administrative burden it initially placed on healthcare organizations. On balance, the improvements to healthcare that have come from compliance with HIPAA more than outweigh the negatives. The biggest successes are the improvements to patient privacy and data security, the rights given to patients with respect to their healthcare data, greater efficiency in the healthcare system, and changes...

Read More
How Often is HIPAA Training Required?
Mar20

How Often is HIPAA Training Required?

HIPAA-covered entities and their business associates must ensure that all members of the workforce that encounter protected health information (PHI) in any of its forms need to be provided with training, but how often is HIPAA training required and how flexible are the HIPAA Rules when it comes to providing employee HIPAA training? What Does HIPAA Say About Employee Training? Both the HIPAA Privacy Rule and HIPAA Security Rule have training provisions. The HIPAA Privacy Rule states: “A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information,” and training should be provided “as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” The HIPAA Security Rule training standard states: “Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).” The Privacy Rule does not specify the content of training courses, and scant information is provided in the Security Rule as to...

Read More