New technologies in healthcare means new risk to the security and privacy of patient health data. Though most healthcare companies and providers are aware of the need for internal data security, many may not be in compliance when sharing information with third parties. As providers and vendors find new and innovative ways to work together, the need for data sharing will only increase. It is critically important that all parties know when and how protected health information (PHI) is shared, and when patient authorization is required to do so.
We like to find interesting tips and tricks to help our clients improve their health data security. This infographic from Inspired eLearning on "phishing" schemes covers the most common types of phishing attacks, including via email, phone call, text message, or USB baiting. Read on to learn about how these attacks can occur, common statistics, and prevention tips.
Many digital health technology companies have customers from multiple, or even all, states accessing their software and services. If these health tech companies have California customers, then starting in January 2020, they may need to abide by the California Consumer Privacy Act.
By building compliance processes into your internal structure, audits can be completed faster and can bring to light information that is beneficial for both your customers and employees. Here are seven tips to prepare for a healthcare compliance audit.
Healthcare has now surpassed nuclear power and financial services as the most highly regulated industry in the U.S. - and for good reason. The health, safety, and privacy of individual patients and the public at large is at stake.
For better or for worse, there exists a complex web of local, state, and federal laws and regulations that govern the businesses of healthcare providers and healthcare companies - from patient safety and privacy protections, to corporate transactions and contractual relationships. Navigating this complicated landscape requires a deep understanding of the risks and opportunities inherent in the healthcare industry—namely, it requires an experienced healthcare attorney.
Despite the risk of experiencing a HIPAA breach exceeding 89%, fewer than half of healthcare organizations have formal incident response plans and procedures. When an actual or suspected breach occurs, it is vital for covered entities and business associates to have a simple, streamlined, and expeditious plan to respond. These breaches can be anything from a lost thumb drive or laptop to a sophisticated cyber-attack, but a good breach response plan will be flexible enough to work in a variety of circumstances. There are standard responses that the Department of Health and Human Services’ (HHS) Office of Civil Rights (the government entity that polices HIPAA compliance) (OCR) expects to see when health data has been compromised. These include protocols for investigation, mitigation, and notification of affected individuals.
Healthcare providers in today's environment are dependent upon health information technology like electronic health records, cloud-based billing and practice management solutions, and mobile devices like laptops and iPads to run their practices. The reliability and security of this technology is key to both operations and compliance. However, physicians aren't IT professionals, and practice managers are security specialists. So how do they manage compliance risks without cutting into resources needed to provide patient care? On Tuesday, April 26, 2016, Rebecca E. Gwilt, Esq. and Joan Kassell, MLIS, CPIA will meet with Virginia practitioners to discuss what the data shows are the most common sources of health data breaches and OCR settlements. The data reveals that there are a few simple steps any physician can take to protect their practice and patients and to begin to build a robust compliance program. Topics will include (1) realistic threats to healthcare practices, (2) breaches in the real world and what they tell us, and (3) reducing the likelihood a breach will bury your practice.
There is still time to protect your company or practice. In preparation for potential OCR audits, health care providers and health technology companies should conduct an internal audit of their compliance with State and Federal privacy and security rules, including HIPAA, and begin to address any shortfalls. OCR's increased budget and strategic plans related to HIPAA enforcement should remind the healthcare community of the growing commitment of the Federal Government to strictly enforce its privacy and security protections. Contact your healthcare attorney for advice on how to address your compliance posture.
Health IT vendors are under incredible pressure to represent to customers that their hardware and software solutions are impervious to cyber threats. Pick any major trade show and the first line you'll hear from exhibitors is that their solution is HIPAA-compatible, and, even more misleading, HIPAA-compliant. It's important that vendors understand overstating security protocols and capabilities can have major legal and financial implications.
On January 6, 2016, in a dramatic national press conference, President Obama announced several actions by his administration to address gun violence in the US. One of these actions is a long-planned modification to the Health Insurance Portability and Accountability Act (HIPAA). The same day, the Department of Health and Human Services (HHS) published a Final Rule adding a permitted disclosure to the HIPAA Privacy Rule, which expressly permits a limited number of Covered Entities to disclose protected health information (PHI) of certain individuals to the National Instant Criminal Background Check System (NICS). The modification is aimed at removing one barrier to expanding the quality of the information in NICS, which is used by firearms vendors to disqualify potential purchasers who are federally barred from owning firearms.