HIPAA does not apply to multiple types of organizations including healthcare providers that do not qualify as covered entities, public schools that only provide medical services for students, and financial institutions that process payments on behalf of covered entities. However, although HIPAA does not apply to these organizations, other state privacy laws may apply. When … Read more
WhatsApp is not HIPAA compliant but can be used in healthcare environments in certain circumstances – for example to facilitate communications between healthcare providers that do not disclose Protected Health Information, or to accommodate patients’ requests to communicate via WhatsApp. When HIPAA covered entities and business associate use any messaging service to create, receive, store, … Read more
Microsoft Outlook is HIPAA compliant and can be used to send emails containing Protected Health Information provided customers subscribe to an appropriate Microsoft plan with the capabilities to support HIPAA compliance and agree to the terms of Microsoft’s Business Associate Agreement. In order to make Microsoft Outlook HIPAA compliant, system administrators must configure Outlook’s settings … Read more
A HIPAA compliant email is an email containing Protected Health Information, that is sent or received for a purpose permitted by the Privacy Rule, and that is protected from unauthorized access or corruption by safeguards that support compliance with the Security Rule. There may be other conditions attached depending on who is sending the email, … Read more
It is not necessary for Zelle to be HIPAA compliant in order for HIPAA covered entities to conduct financial transactions via the fund transfer service because payment processors are exempt from HIPAA under §1320d-8 of the Public Health and Welfare Code. Considering that Zelle is a peer-to-peer funds transfer service similar to PayPal, there are … Read more
HoneyBook is not HIPAA compliant and should not be used by HIPAA covered entities or business associates to create, collect, store, or transmit electronic Protected Health Information (ePHI). However, it is still possible for healthcare providers to use HoneyBook for some customer relationship activities. HoneyBook styles itself as “client flow management software” that can help … Read more
Ivy Pay is a HIPAA compliant payment management system that enables therapists to collect payments with little or no disruption to clients. The payment processing capabilities mean clients do not have to focus on a financial transaction at the end of a session, while the system simplifies billing and payment activities for therapists. Ivy Pay … Read more
It is not necessary to make PayPal HIPAA compliant before accepting payments from patients because payment processors such as PayPal are exempt from complying with the HIPAA regulations for payment processing activities. However, it is not possible to use any other of PayPal’s services in compliance with HIPAA. When HIPAA was passed in 1996, it … Read more
The civil penalty for unknowingly violating HIPAA falls within the range of $137 and $68,928 per violation (January 2024) depending on whether the covered entity or business associate could not have avoided the violation with a reasonable amount of care, or should have known the violation was a possibility, but failed to adopt measures to … Read more
Phone calls can be a HIPAA violation if Protected Health Information (PHI) is disclosed for an impermissible purpose, to an unauthorized person, or for a purpose or to a person that the subject of the PHI has requested PHI is not disclosed (for example, to a health plan when treatment has been paid for privately … Read more
The HIPAA training requirements are that members of a covered entity’s workforce must be provided with training on the covered entity’s HIPAA policies and procedures when they first start working for the covered entity or when there is a material change to the policies and procedures. All employees of covered entities and business associates must … Read more
The best place to find changes to HIPAA law depends on which part of HIPAA law you are interested in because HIPAA was not only responsible for the creation of the Administrative Simplification Regulations, but also for amendments to a number of existing Acts. The term HIPAA law is often interpreted as solely referring to … Read more
PHI in HIPAA is health information that relates to an individual’s past, present, or future physical or mental health condition, treatment for the health condition, or payment for the treatment, that is created, received, stored, or transmitted by a HIPAA covered entity or business associate. Any health information that qualifies as PHI in HIPAA, and … Read more
The HIPAA Omnibus Rule 2013 mandated changes to Parts 160 and 164 of the HIPAA Administrative Simplification Regulations to implement modifications to the Enforcement, Security, Breach Notification, and Privacy Rules required by the HITECH Act. In addition, the HIPAA Omnibus Rule 2013 made further changes to the Privacy Rule to address events that were hampering … Read more
Texas HB 300 expands individual privacy protections by requiring non-excluded covered entities to obtain an authorization for a number of disclosures of Protected Health Information that would be permitted by the HIPAA Privacy Rule. In 2001, Section 181 of the Texas Health and Safety Code was established by the passage of the Texas Medical Records … Read more
HIPAA changes occur more often than many people realize due to the Department for Health and Human Services (HHS) responding to external events, Executive Orders, or adopting standards to reduce the administrative burden of HIPAA compliance. While most recent HIPAA changes have been relatively minor, there are significant proposed HIPAA changes in 2024. Many articles … Read more
HIPAA laws are best known for protecting the privacy of individually identifiable health information maintained by health plans and qualifying health care providers. Strictly speaking, the content of the Health Insurance Portability and Accountability Act did not create any new HIPAA laws. Rather, it amended existing laws such as the Consolidated Omnibus Budget Reconciliation Act … Read more
HIPAA training for mental health professionals should be more thorough than for other health care professionals due to the number of times mental health professionals may be required to make decisions about disclosing PHI based on their professional judgement. Under §164.530(b) of the Privacy Rule, covered entities “must train all members of the workforce on … Read more
How long it takes to get HIPAA certified depends on factors such as the motive for getting HIPAA certified, the certification requirements, and the amount of time available to fulfil the requirements. HIPAA certifications do not absolve individual and organizations from any obligations they have under HIPAA to protect the privacy and security of individually … Read more
HIPAA was created as a result of the Clinton administration’s ambitious, but unsuccessful, attempt to pass a Health Security Act. HIPAA addressed the area of the Health Security Act related to health insurance reforms, which enabled the bill’s supporters to include measures that protect the privacy and security of individually identifiable health information. One of … Read more
There is no standard answer to what to do if accused of a HIPAA violation because what you should do depends on your responsibility for HIPAA compliance, who is accusing you of a HIPAA violation, and the violation you are being accused of. In 2021, HHS’ Office for Civil Rights received 34,077 complaints alleging violations … Read more
Healthcare compliance is an essential activity for organizations in, or providing a service to, the healthcare industry. It involves adherence to laws, regulations, standards, and practices that govern healthcare providers, payers, pharmaceutical companies, and other entities involved in the delivery of health care. Components of Healthcare Compliance Federal and State Laws Healthcare compliance requires adherence … Read more
Although OneDrive can be configured to support HIPAA compliance, there is more to making OneDrive HIPAA compliant than adjusting a few settings and entering into a Business Associate Agreement with Microsoft. Many healthcare organizations subscribe to an Office 365 or Microsoft 365 business plan to access apps and services such as Word, Excel, and PowerPoint. … Read more
The term HIPAA compliant telemedicine relates to the remote delivery of healthcare to patients and remote collaboration between healthcare providers while complying with the standards of the Privacy Rule and the safeguards of the Security Rule. Due to the nature of remote healthcare delivery and collaboration, it is not always easy to comply with the … Read more
Yes, Google Meet can be made HIPAA compliant when a Business Associate Agreement (BAA) is in place. A BAA is a legal contract that outlines the responsibilities and obligations of a service provider (Google) when handling Protected Health Information (PHI) on behalf of a covered entity (healthcare organization). If Google signs a BAA with a … Read more
The HIPAA electronic signature rule is – at present – a proposed rule published by the Department for Health and Human Services in December 2022. If adopted, the HIPAA electronic signature rule would apply to a limited number of covered transactions. However, it could subsequently be extended to apply to other types of covered transactions … Read more
To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions. Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. … Read more
HIPAA compliance software provides a range of tools to help organizations achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) and maintain compliance thereafter. However, because of the complexity of HIPAA, organizations are advised to select a software solution from a vendor who also provides support, training, and guidance. Most HIPAA Covered Entities … Read more
Because the HIPAA Privacy Rule defines students as members of a Covered Entity´s workforce, HIPAA training for students should be the same as that for employees. However, in many cases, students may require additional HIPAA training in order to avoid unintentional violations of HIPAA attributable to a lack of knowledge and experience. When medical students … Read more
Under certain circumstances, texting Protected Health Information (PHI) can be deemed as a violation of HIPAA. The classification as a violation is dependent upon the message’s content and the recipient. Furthermore, the effort that the sender put into maintaining the integrity of PHI is also considered. If the PHI is well-protected, then texting may be … Read more
The Health Insurance Portability and Accountability Act (HIPAA) is an important piece of legislation, first introduced in 1996. But, why is HIPAA so important? How has HIPAA helped to improve the healthcare industry and the care given to patients? HIPAA was designed to address one issue in particular: Insurance coverage for individuals that are “between … Read more
Florida Blue, the business name of Blue Cross and Blue Shield of Florida, has recently announced that the personally identifiable information of a nearly one thousand insurance applicants has been exposed online following a data breach of their network. The organisation was alerted to the exposure of patient data in late August. They immediately launched … Read more
Following a break-in at a file storage facility in East Brunswick, New Jersey, the Otolaryngology Associates of Central Jersey is in the process of alerting patients to a breach of their protected health information. The files stolen included information such as names, addresses, health insurance account numbers, birth dates, dates of military service, and the … Read more
Amazon Web Services has announced that new safeguards have been incorporated into its cloud server that reduce the probability that users to misconfigure their S3 buckets. If their S3 buckets are not configured in the correct manner, users risk accidentally leaving the data they store on the server unsecured. Amazon will sign a business associate … Read more
A report covering data breaches in 2017 has recently been released by Risk Based Security (RBS). The report revealed there has been a 305% increase in the number of records exposed in data breaches compared to 2016. RBS- a provider of real time information and risk analysis tools-analyzed breach reports from the first 9 months … Read more
Earlier this month, the Secretary of the U.S. Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties in California. The waiver was announced following the presidential declaration of a public health emergency in northern California due to the wildfires. This waiver is like those issued following Hurricanes Irma … Read more
Cook County Health and Hospitals System has recently alerted patients to a breach of their protected health information (PHI). The organisation consists of a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, and services many patients. The breach occurred at Experian Health, a business associate of … Read more
In August, the Catholic Charities of the Diocese of Albany (CCDA) performed a routine upgrade of its computer security software. While the technicians were working on the upgrade, they discovered that malware had been installed on one of the computer servers used by its Glens Falls office. This office serves patients in Saratoga, Warren and Washington … Read more
The Department of Health and Human Services’ Office for Civil Rights (OCR) has increased its enforcement operations in recent years, and 2016 HIPAA settlements were at the highest levels ever recorded. Overall, payments of $22,855,300 were submitted to the OCR during 2016 to settle alleged HIPAA breaches. Seven settlements were over the figure of $1,500,000. … Read more
The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has recently announced that it experienced a ransomware attack. The attack caused files on one of the agency’s servers to be encrypted, and thus inaccessible to the agency. They announced that the files contained the protected health information (PHI) of 8,750 patients. The attack occurred … Read more
Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies. The patient list was created and used by the company to inform patients of a new practice that was opening in the area. In mid-July this year, one of … Read more
Many dental offices and dental practitioners are self-contained entities. However, HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries or treatment authorization requests electronically. If a dental office transmits any of the above transactions directly to a payer, or uses the services of a business … Read more
The Brevard Physician Associates has announced that they have experienced a breach of protected health information (PHI). They state that the breach occurred due to a desktop computer being stolen in a burglary at one of their sites. They have identified nearly 8,000 affected patients. The incident occurred on Labor Day, 2017. As the offices … Read more
An independent care provider, who provides care to patients of TJ Samson Community Hospital in South Central Kentucky, has recently been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients. The data was all connected to patients of the TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia … Read more
FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health network, has recently announced that it has experienced a data breach. They have identified the cause of this breach to be the new, rampant, WannaCry ransomware variant. WannaCry ransomware was used in worldwide attacks in earlier this year. More than 230,000 computers were infected … Read more
Briggs Stratton Corporation, a manufacturer of lawnmower engines, has recently reported that they have experienced a breach of PHI, resulting from a malware attack. It is not obvious that the company is a HIPAA covered entity; the firm does not work in the healthcare industry and does not act as a business associate to provide … Read more
Dropbox is a popular file hosting service used by many organizations to share files. Dropbox claims that it has implemented measures that now make its software both HIPAA and HITECH Act compliant. However, technically no software or file sharing platform can be HIPAA compliant as its compliance depends on how the software or platform is … Read more
Phishing-the act of obtaining sensitive information such as usernames, bank details or other private information, often for malicious reasons, by disguising as a trustworthy entity via electronic communication-has become the biggest data security threat faced by healthcare organizations. Phishing attacks commonly take the form of fake invoices and package delivery notifications, to hide their true … Read more
Protenus-an organisation dedicated to patient privacy monitoring of electronic health records-has released its Breach Barometer report. The report shows there was a significant increase in healthcare data breaches in September in comparison to previous months. The report includes healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and … Read more
Texas Children’s Health Plan has announced a breach of nearly 1,000 patient’s protected health information (PHI). The organisation said that the breach was discover when they identified the information as having been emailed to the personal email account of a former employee. The incident was discovered on September 21, 2017, although the former employee emailed … Read more
Amida Care-a not-for-profit community healthcare service based in New York-has reported a HIPAA breach to the Office of Civil Rights (OCR). Their initial report reveals that the breach has affected nearly 6,250 of its patients. The organisation specializes in providing health coverage and coordinated care to Medicaid members suffering from chronic health conditions. This includes … Read more
The Advanced Spine & Pain Center (ASPC) has announced that it has experienced a potential breach and unauthorized use of their protected health information. The organisations-based in San Antonio, Texas, has notified as many as 8,362 of their patients that they have been affected by the incident. ASPC became aware of a potential breach … Read more
In 1996, the Health Insurance Portability and Accountability Act of 1996 was introduced. In the two decades since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry. Despite its importance, there still exist many healthcare providers and insurers who are unaware of HIPAA obligations. It has … Read more
The Man-Grandstaff VA Medical Center in Spokane, WA has announced that it has experienced a breach of PHI. The breach was a result of the theft of two USB drives, which contained the protected health information of almost 2,000 veterans. The devices were stolen on July 18, 2017 from a contract employee while on a … Read more
Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored … Read more
In the third quarter of 2017, Q3, 2017, HIPPA covered entities reported 99 breaches of healthcare data, each involving more than 500 records, reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). These figures bring the total number of data breaches reported in 2017 up to 272 incidents. The 99 … Read more
There has been a huge rise in the number of healthcare workers and other HIPAA-covered entities relying on mobile technology in their day-to-day lives. This rise has seen an increasing use of smartphones, tablets and other portable devices in hospitals, clinics and other places of work. These technological advances have allowed for increased efficiency and … Read more
In January 2014, the Department of Health and Human Services proposed a new rule for certification of compliance for health plans to be introduced into HIPAA legislation. The rule was entitled “Certification of Compliance for Health Plans”. This rule would have required all controlling health plans (CHPs) to submit a range of documentation to HHS … Read more
Since its implementation two decades ago, there has been much ambiguity in whether the use of SMS is HIPAA compliant. HIPAA does not explicitly prohibit communicating Protected Health Information (PHI) by text, a system of administrative, physical and technical safeguards must be implemented to ensure the confidentiality and integrity of PHI when it is “in … Read more
The radiology center of Mid-Michigan Physicians-managed by McLaren Medical Group-has announced today that they have experienced a breach of protected health information (PHI). They have stated that the PHI of over 100,000 patients has potentially been compromised in the breach. McLaren Medical Group announced earlier this month that the breach affected a system that stored … Read more
Google Drive is becoming an increasingly attractive option for many companies to store information online. It is cheaper than installing costly hardware systems and IT infrastructures, and it is easy to use and train staff in using. However, despite the advantages, the question remains over whether healthcare professionals can use this technology and remain HIPAA … Read more
A decommissioned laptop computer previously used by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has been discovered to be missing. The laptop is thought to have stored protected health information (PHI) of patients of the clinic, and its loss raises the possibility of the exposure of this sensitive patient information. The laptop was … Read more
TheDarkOverlord is a hacking group that has been involved in many high-profile cases in recent months, from allegedly accessing the British Royal family’s healthcare information to accessing private user from medical centres, schools, and even Netflix, the online streaming giant. The primary motivation for their attacks is extortion of those whose data they have stolen. … Read more
Our Lady of the Angels Hospital has announced the discovery of a breach of patient protected health information (PHI). The breach occurred when a former employee accessed the medical records of 1,140 patients without proper authorization to do so. In accordance with the HIPAA Breach Notification Rules, the affected patients have been informed of the … Read more
HIPAA Simplified History Legislators originally proposed HIPAA in 1996 as a means of addressing the concerns regarding the privacy and security of patient healthcare information and risks brought by novel technologies. Since then, the Act has expanded into an act of legislation. Broadly, HIPAA governs health insurance fraud and tax provisions for medical savings accounts, … Read more
Recently, the MS Center of Saint Louis and Mercy Clinic Neurology Town and County have announced that they have breached HIPAA regulations. Over one-thousand patients of the are being informed that they may be contacted for marketing and research purposes by pharmaceutical companies and other third-parties, even though they may not have given their permission … Read more
Skype has been increasingly used by business as a quick and cost-effective form of communication. However, the question remains whether Skype can be used by healthcare professionals in a manner which allows them to send text messages containing electronic protected health information (ePHI) without risking violating HIPAA Rule. There exists some ambiguity surrounding Skype and … Read more
In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued … Read more
Yolanda Farrar-former employee of the Arkansas Department of Human Services (DHS)-has been fired from her position at the state hospital for breaching HIPAA legislation in March 2017. She was discovered to have emailed spreadsheets containing the protected health information of patients to a personal email account. Yolanda Farrar worked as a payment integrity coding analyst … Read more
In is in the interest of HIPAA covered entities, business associates, and healthcare employees to take great care to ensure HIPAA Rules are not violated, lest they wish to incur huge fines and possible criminal prosecution. But in the event of an accidental HIPAA violation, what is the best manner for covered entities and their … Read more
The “cloud”-a network of servers used for data storage-has seen widespread use in recent years. It offers a convenient and flexible way for organisations-including healthcare providers and other covered entities-to store files, in comparison to traditional data storage methods. However, before healthcare organisations can make use of these benefits, the question of is it possible … Read more
The University of Pittsburgh Medical Center’s Bedford Memorial hospital has announced that an incident occurred at the facility which was in violation of HIPAA legislation. The incident, in which photographs and videos of a patient’s genitals were taken by hospital staff, occurred in late December 2016. This media was shared with other individuals, including those … Read more
The American Hospital Association (AHA) recently sent an open letter to the House Ways and Means Health Subcommittee, in which they suggested several steps that Congress can take to immediately reduce the regulatory burden on hospitals and health systems. In the letter, the AHA states the regulatory burden on hospitals and health systems is “substantial … Read more
The Department of Health and Human Services has issued a waiver of sanctions and penalties for violations of HIPAA’s Privacy Rule in the Hurricane Harvey disaster zone area. It is often difficult for hospitals to comply all HIPAA Privacy Rule following a natural disaster. Furthermore, following such limitations can potentially have a negative impact on … Read more
In 1996, the Health Insurance Portability and Accountability Act was introduced into US law. In time since, it has proven to be one of the most important pieces of legislation to affect the healthcare industry, with widespread influence. Despite its importance, many healthcare providers and insurers are still unaware of HIPAA rules, and as a … Read more
Delaware has amended its data breach notification law by introducing some of the strictest requirements of any state. It is the first time in a decade that any change has been made to the law. According to the update, any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
Salina Family Healthcare, based in Kansas, has announced that they were subjected to a ransomware attack earlier this year. They stated that the ransomware was installed on servers and workstations at their offices, resulting in the encryption of their patients’ protected health information (PHI). The healthcare organisation expressed uncertainty as to whether the PHI had … Read more
Senators Joe Manchin and Shelley Moore Capito, both of West Virginia, have announced that Jessie’s Law has been passed by the Senate. The legislation was designed to ensure doctors are provided with details of a patient’s previous substance abuse history if the patient has provided consent for the information to be shared. The bill will … Read more
It is the responsibility of HIPAA covered entities to ensure that their employees know the correct procedures for reporting a HIPAA violation. It is then the responsibility of the privacy officers of the organisation to make a judgement whether the incident should be directed to the Department of Health and Human Services’ Office for Civil … Read more
In June 2017, the Department of Health and Human Services (HHS) confirmed it was contemplating updating its data breach portal. This section is commonly referred to as the OCR ‘Wall of Shame’, as all data breaches which have involved 500+ records are listed on the breach portal. This list is maintained due to section 13402(e)(4) … Read more
Women’s Health Care Group of Pennsylvania has announced that they have been subject to a data breach. The organisation states that the breach was noticed in May, and they have notified nearly 300,000 patients that some of their sensitive protected health information has been compromised. The group is one of the largest healthcare networks in … Read more
The Office for Civil Rights’ “Wall of Shame” was established in December 2009. This data portal contained summaries of healthcare data breaches published on the website by OCR. The list only provides a short synopsis of data breaches that involved more than 500 documents. The information includes the name of the covered entity, the state … Read more
Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service. DOM discovered that the online form service was sending emails containing PHI to … Read more
The Department of Health and Human Services has recently released data revealing the frequency of the most common types of HIPAA violations. The report concerned itself with HIPAA violations that have resulted in financial penalties against the covered entity. The five most common most common HIPPA violations of this type are; • failure to perform … Read more
In addition to having their employment contract terminated, healthcare employees who have been identified as improperly accessing the medical records of patients are also likely to face a criminal investigation into their conduct because of breaching HIPAA rules. This is regardless of the reason why they accessed the medical data in the first place. A … Read more
The Health Information Trust Alliance (HITRUST) is the most widely adopted privacy and security framework in the United States. Earlier this month, it announced that it has updated the HITRUST common security framework (CSF). Furthermore, they also launched a new CSF initiative specifically designed to aid small healthcare organizations protect their PHI against cyberattacks and … Read more
On February 10, 2017, Tom Price was appointed as secretary of the Department of Health and Human Services on February. He has replaced Sylvia Matthews Burwell, who held the post for three years. The change in leadership could see a major change in focus at the HHS, which may extend to the HIPAA enforcement activities … Read more
After calls from healthcare professionals to clear the ambiguity surrounding allowable disclosures of protected health information to spouses, relatives, and patients’ loved ones, the Department of Health and Human Services’ Office for Civil Rights has updated its HIPAA Privacy Rule guidance surrounding these issues. Most healthcare professionals are aware that the HIPAA Privacy Rule permits … Read more