HIPAA

All HIPAA breaches are investigated by the US Department of Health and Human Services – Office for Civil Rights (OCR). The OCR maintains a web site that lists breaches under investigation as well as those that have been resolved. Reviewing this site can provide us with insight into what has gone wrong for other medical providers. It can help us to understand the steps we can take to avoid similar breaches in our practices.

When you do a back of your data (EHR, Digital Imaging, Billing Program) you hit a button to run your backup and at some point you get a message that your backup is complete. When you have a cloud service, your cloud provider is probably completing your backups.

One of the more common causes of Government Investigations into possible HIPAA violations are patient complaints.

in order to be HIPAA Compliant, you must maintain a "Culture of Compliance" at your office. This can include keeping your software up-to-date, regular required training and addressing risks that pose to your office. This month we address HIPAA training, encrypting your drives and Business Associate Agreements

New Haven, Connecticut failed to terminate an employee’s access to their Health Records System after the employee left. The former employee may have accessed a file containing the Protected Health Information of only 498 Patients.

Aetna has agreed to pay $1,000,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA)

When we discuss HIPAA most of the articles have been on security and breaches, but HIPAA goes well beyond privacy and Security.  One aspect of the HIPAA rule is the “Right of Access”.   OCR (The Office for Civil Rights – the branch of HHS the enforces HIPAA) is enforcing this law even more strongly since the 21 Century Cures Act was published.  OCR has begun to levy fines against organizations that are in violation of the “Right of Access” rule.

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has released an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. Financial institutions, cyber insurance firms, and companies that facilitate payments on behalf of victims may be violating OFAC regulations.

Universal Health Systems was hit with a ransomware attach this week. Their servers began to fail over the weekend and Hospitals across the country completely lost access to their EHR systems. As a result of this attack many facilities were forced to go to pen and paper for medical record keeping. In many locations the nursing staff did not have access to medication lists and had no way ok knowing which medications patients needed, how much to dose, or even who needed medications.

in order to be HIPAA Compliant, you must maintain a "Culture of Compliance" at your office. This can include keeping your software up-to-date, regular required training and addressing risks that pose to your office. This month we address HIPAA training, encrypting your drives and Business Associate Agreements