Viewing entries in
HIPAA

Reduce the Risk of a Healthcare Data Breach with Zero-Step Email Encryption

Reduce the Risk of a Healthcare Data Breach with Zero-Step Email Encryption

This article discusses how you can lower your risk through email encryption, thereby saving your healthcare practice or organization from an expensive data breach. Email encryption can help your organization protect against the most common form of data breach and better comply with HIPAA standards.

What do I need to know about GDPR?

What do I need to know about GDPR?

Beginning on May 25, 2018, HIPAA won’t be the only healthcare data security standard with which U.S. companies have to comply. Medical practices, digital healthcare companies, and vendors (e.g., electronic health records companies, medical billing companies, and cloud services companies) that do business in the healthcare sector and collect data from European citizens will be required to comply with the new EU General Data Protection Regulation (the “GDPR”). A recent Reuters article called the implementation of these regulations “the biggest overhaul of online privacy since the birth of the internet.”

New Rule for Substance Abuse Records: Confidentiality and Disclosures

New Rule for Substance Abuse Records: Confidentiality and Disclosures

On January 2, 2018, the Substance Abuse and Mental Health Services Administration (“SAMHSA”) issued a Final Rule, amending 42 C.F.R Part 2 (“Part 2”), creating new changes to the federal rules governing confidentiality and disclosures of patient substance use disorder (“SUD”) records for the first time since 1987. Part 2 protects the confidentiality of SUD records, which are subset of protected health information (PHI). This means that these records are subject to HIPAA, but are also protected by Part 2, which contains additional (and more stringent) federal protections. These overlapping standards can make the storage and disclosure of patient records administratively burdensome for healthcare providers, patients and their families. It is also a challenge for technology companies that store, analyze, and transmit patient records on behalf of providers and patients.

How to Secure Your Health Information Against Phishing Attacks

How to Secure Your Health Information Against Phishing Attacks

Earlier this year, a federally qualified health center, Metro Community Provider Network (“MCPN”) paid a $400,000 HIPAA breach penalty related to a 2011 phishing attack. In this attack, several MCPN employees had their email accounts hacked by a phisher who was able to gain access to about 3,200 individuals’ PHI.

Stuck in the Middle Again: Protected Workplace Recordings Must Coexist with Patient Privacy

Stuck in the Middle Again: Protected Workplace Recordings Must Coexist with Patient Privacy

Healthcare providers are highly sensitive to the risks introduced by recordings in the workplace—not the least of which are potential violations of federal and state laws regarding the privacy of their patients and residents.  We have often advised our healthcare clients to enact restrictions on recordings that could introduce unnecessary risk, but a National Labor Relations Board (NLRB) decision, recently upheld by the U.S. Court of Appeals for the Second Circuit, indicates that those same restrictions on recordings might, in and of themselves, introduce compliance risk.  In its decision, the NLRB had to determine whether no-recording policies maintained by employer Whole Foods were overly broad by prohibiting all recordings by Whole Foods employees without prior management approval.  The NLRB’s position seems clear: Policies reasonably read as prohibiting all employee workplace recordings violate the National Labor Relations Act.

Business Associates of Business Associates - Partners Pointer

Business Associates of Business Associates - Partners Pointer

Caitlin Riccobono, Esq., Counsel at Nixon Law Group, develops these routine “Partners Pointers” for the Virginia-based healthcare organization Partners in Healthcare.

Topic: Business Associates of Business Associates

I was asked to address two main questions regarding a Business Associate that is a subcontractor of another Business Associate (we will call this a “Sub-BA”).  First, to what extent is a Sub-BA permitted access to PHI?  Second, what are the Sub-BA’s obligations with respect to safeguarding PHI?

OCR ramping up HIPAA Enforcement for "Small" Breaches

OCR ramping up HIPAA Enforcement for "Small" Breaches

We often advise our clients that one of the criteria separating a “high risk” breach from a “low risk” breach is whether the breach affects more or fewer than 500 individuals. This is because the HHS Office of Civil Rights (which is the HIPAA enforcement arm of HHS) has historically prioritized investigation of and corrective action following breaches affecting in excess of 500 individuals—OCR’s Regional Offices investigate all reported breaches involving the PHI of 500 or more individuals. However, OCR recently announced that it would be teaming up with its regional office staff to more widely investigate HIPAA breaches affecting fewer than 500 individuals—sending a strong signal to covered entities and business associates that no one is “safe” from repercussions emanating from a HIPAA breach.

How Should My Practice Respond to a Breach?

How Should My Practice Respond to a Breach?

Despite the risk of experiencing a HIPAA breach exceeding 89%, fewer than half of healthcare organizations have formal incident response plans and procedures. When an actual or suspected breach occurs, it is vital for covered entities and business associates to have a simple, streamlined, and expeditious plan to respond. These breaches can be anything from a lost thumb drive or laptop to a sophisticated cyber-attack, but a good breach response plan will be flexible enough to work in a variety of circumstances. There are standard responses that the Department of Health and Human Services’ (HHS) Office of Civil Rights (the government entity that polices HIPAA compliance) (OCR) expects to see when health data has been compromised. These include protocols for investigation, mitigation, and notification of affected individuals.

HIPAA "Straight Talk" with Nixon Law Group

HIPAA "Straight Talk" with Nixon Law Group

Healthcare providers in today's environment are dependent upon health information technology like electronic health records, cloud-based billing and practice management solutions, and mobile devices like laptops and iPads to run their practices. The reliability and security of this technology is key to both operations and compliance. However, physicians aren't IT professionals, and practice managers are security specialists. So how do they manage compliance risks without cutting into resources needed to provide patient care? On Tuesday, April 26, 2016, Rebecca E. Gwilt, Esq. and Joan Kassell, MLIS, CPIA will meet with Virginia practitioners to discuss what the data shows are the most common sources of health data breaches and OCR settlements. The data reveals that there are a few simple steps any physician can take to protect their practice and patients and to begin to build a robust compliance program. Topics will include (1) realistic threats to healthcare practices, (2) breaches in the real world and what they tell us, and (3) reducing the likelihood a breach will bury your practice.

HIPAA Phase 2 Audit Program Commences

HIPAA Phase 2 Audit Program Commences

There is still time to protect your company or practice. In preparation for potential OCR audits, health care providers and health technology companies should conduct an internal audit of their compliance with State and Federal privacy and security rules, including HIPAA, and begin to address any shortfalls. OCR's increased budget and strategic plans related to HIPAA enforcement should remind the healthcare community of the growing commitment of the Federal Government to strictly enforce its privacy and security protections. Contact your healthcare attorney for advice on how to address your compliance posture.